Project/Version rename, multi-game support, depenency rework & other changes #89

Saeraphinx · 2025-06-09T16:18:57Z

closes #88
closes #4
closes #83
closes #23

Dependency rework

…ates

(cherry picked from commit 62253e6)

…y? localized entirely within your kitchen? (begin validation against swagger file)

Rename Mod/ModVersion to Project/Version

…ame, disable beatmods importer, update api responses to not send generic messages

This reverts commit 6c8be9c.

test/database/games.test.ts

…tAPIPublicResponse` instead.

src/api/routes/v3/createMod.ts

+            }).then(async (project) => {
+                DatabaseHelper.refreshCache(`projects`);
+                if (iconIsValid) {
+                    (icon as UploadedFile).mv(filePath);


To fix the issue, we need to ensure that the constructed filePath is both normalized and validated to prevent directory traversal or other attacks. This can be achieved by:

Using path.resolve to normalize the path and remove any .. segments.

Using fs.realpathSync to resolve symbolic links and ensure the path points to a real location.

Validating that the resolved path starts with the expected root directory (Config.storage.iconsDir).

Additionally, we should sanitize the icon.name using a library like sanitize-filename to remove any special characters that could be used maliciously.

Changes required:

Add the sanitize-filename package to sanitize icon.name.

Update the construction and validation of filePath to include normalization, symbolic link resolution, and sanitization.

src/api/routes/v3/createMod.ts

+            if (filePath.startsWith(`${path.resolve(Config.storage.modsDir)}`) == false) {
+                return res.status(400).send({ message: `Invalid zip file.` });
+            } else {
+                file.mv(filePath);


src/api/routes/v3/updateMod.ts

+            let oldFileName = project.iconFileName;
+            project.iconFileName = `${icon.md5}${path.extname(icon.name)}`;
+            project.save().then((project) => {
+                icon.mv(filePath, (error) => {


Saeraphinx and others added 30 commits April 29, 2025 16:00

i hate everything about this

13eef53

Merge branch 'main' into dependency-rework

3ad6037

Merge branch 'main' into dependency-rework

b5ec069

switch over all the things

6b2979a

fix migrations

cb21af5

implement & fix migration hook

9ca30d3

tests & fixes

fb35331

Merge pull request #84 from Saeraphinx/dependency-rework

4fd31df

Dependency rework

update variable names & database entires

71241fc

update strings pt 2

fe36dd5

update api responses

ee20195

Refactor mod-related routes and validation schemas, documentation upd…

d882f2e

…ates

documentation updates

3148485

continuing development

5b91016

more renaming and documentation updates

e4f59dd

shortterm fix for zUpdateProject does not use base project values #88

acd1a22

(cherry picked from commit 62253e6)

more doc updates

83a8bed

holy changes batman

986671b

one more

683d157

good lord what is happening in there?

57e48c7

aurora borealis

fc2da53

at this time of year? at this time of day? in this part of the countr…

53fd158

…y? localized entirely within your kitchen? (begin validation against swagger file)

schema tests

969188c

include status when checking for duplicates in /ba/linkVersionsExclude

aa5183a

Merge branch 'main' into rename-everything

3f388d3

Merge pull request #86 from Saeraphinx/rename-everything into dev

0fea2c6

Rename Mod/ModVersion to Project/Version

update auth objects in docs

15390b7

Merge remote-tracking branch 'origin/ba-check-status' into dev

f191674

remove hardcoded games & categories, begin moving webhook config to g…

dd49cc7

…ame, disable beatmods importer, update api responses to not send generic messages

allow edits to edits

c9d1b21

Saeraphinx self-assigned this Jun 9, 2025

Saeraphinx added 13 commits June 9, 2025 16:26

revert changes in versions.ts from ee20195 due to endpoint deprecation

d86b8b0

dont forget to respond to POST /games/:gamename/category

d8d60c6

update changelog

4b92cb2

add gamename to webhook embeds

40df83a

update webhooks to support multiple games

d3d9ac3

begin webhook and category management

6c8be9c

finalize category endpoints & begin webhook config supports

1ccd1a8

Revert "begin webhook and category management"

81c15d1

This reverts commit 6c8be9c.

Merge branch 'dev' of https://github.com/Saeraphinx/badbsmods into dev

ec79088

fix $ref tag

7a7930e

begin webhook management endpoints and response schema

e5cdd38

final touches and begin testing

3503ea0

update test data & tests, fix all game helper functions

80a0f9f

github-advanced-security bot found potential problems Jun 11, 2025

View reviewed changes

test/database/games.test.ts Dismissed Show dismissed Hide dismissed

Saeraphinx added 12 commits June 12, 2025 08:43

rename /mods to /projects and readd legacy /mods

11cdb58

add version linking and unlinking endpoints

9310872

Merge branch 'dev' of https://github.com/Saeraphinx/badbsmods into dev

c5ac650

updare w/ results of lint and test

7953d54

update tests for route change

a1a3a95

remove unused config options

5d0d0dc

changelog updates & rename /users/:id/mods

4cab329

push version id, not project id

3398d8a

knew i forgot one test

52c6d66

ProjectVersion pair has been removed, added versions to the `Projec…

f52c115

…tAPIPublicResponse` instead.

update tests

963d0f8

begin versioning

4771103

github-advanced-security bot found potential problems Jul 14, 2025

View reviewed changes

Saeraphinx added 2 commits July 14, 2025 12:18

add back old endpoints

f37e210

update old endpoints to new methods

f055792

@@ -2,2 +2,4 @@
             import path from 'node:path';
+            import fs from 'node:fs';
+            import sanitize from 'sanitize-filename';
             import { DatabaseHelper, ContentHash, Status, UserRoles } from '../../../shared/Database.ts';
@@ -88,4 +90,6 @@
                                 // move the icon to the correct location
-                                filePath = `${path.resolve(Config.storage.iconsDir)}/${icon.md5}${path.extname(icon.name)}`;
-                                if (filePath.startsWith(`${path.resolve(Config.storage.iconsDir)}`) == false) {
+                                const sanitizedFileName = sanitize(icon.name);
+                                filePath = path.resolve(Config.storage.iconsDir, `${icon.md5}${path.extname(sanitizedFileName)}`);
+                                const resolvedFilePath = fs.realpathSync(filePath);
+                                if (!resolvedFilePath.startsWith(fs.realpathSync(Config.storage.iconsDir))) {
                                     iconIsValid = false;

@@ -39,3 +39,4 @@
                 "zod": "^3.24.1",
-                "zod-validation-error": "^3.4.1"
+                "zod-validation-error": "^3.4.1",
+                "sanitize-filename": "^1.6.3"
               },

Package	Version	Security advisories
sanitize-filename (npm)	1.6.3	None

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Project/Version rename, multi-game support, depenency rework & other changes #89

Project/Version rename, multi-game support, depenency rework & other changes #89

Uh oh!

Saeraphinx commented Jun 9, 2025

Uh oh!

Uh oh!

Check failure

Copilot Autofix

Check failure

Check failure

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Project/Version rename, multi-game support, depenency rework & other changes #89

Are you sure you want to change the base?

Project/Version rename, multi-game support, depenency rework & other changes #89

Uh oh!

Conversation

Saeraphinx commented Jun 9, 2025

Uh oh!

Uh oh!

Check failure

Uh oh!

Copilot Autofix

Check failure

Uh oh!

Check failure

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants