Skip to content

Commit c85140d

Browse files
committed
fix: added validation to download endpoint
1 parent 3aa9905 commit c85140d

File tree

2 files changed

+50
-49
lines changed

2 files changed

+50
-49
lines changed

api/utils/requestProcessor.js

+48-47
Original file line numberDiff line numberDiff line change
@@ -1930,60 +1930,61 @@ const processRequest = (params) => {
19301930
}, params);
19311931
break;
19321932
case 'download': {
1933-
if (paths[4] && paths[4] !== '') {
1934-
common.db.collection("long_tasks").findOne({_id: paths[4]}, function(err, data) {
1935-
if (err) {
1936-
common.returnMessage(params, 400, err);
1937-
}
1938-
else {
1939-
var filename = data.report_name;
1940-
var type = filename.split(".");
1941-
type = type[type.length - 1];
1942-
var myfile = paths[4];
1943-
var headers = {};
1944-
1945-
countlyFs.gridfs.getSize("task_results", myfile, {id: paths[4]}, function(err2, size) {
1946-
if (err2) {
1947-
common.returnMessage(params, 400, err2);
1948-
}
1949-
else if (parseInt(size) === 0) {
1950-
if (data.type !== "dbviewer") {
1951-
common.returnMessage(params, 400, "Export size is 0");
1952-
}
1953-
//handling older aggregations that aren't saved in countly_fs
1954-
else if (!data.gridfs && data.data) {
1955-
type = "json";
1956-
filename = data.name + "." + type;
1957-
headers = {};
1958-
headers["Content-Type"] = countlyApi.data.exports.getType(type);
1959-
headers["Content-Disposition"] = "attachment;filename=" + encodeURIComponent(filename);
1960-
params.res.writeHead(200, headers);
1961-
params.res.write(data.data);
1962-
params.res.end();
1933+
validateRead(params, "core", () => {
1934+
if (paths[4] && paths[4] !== '') {
1935+
common.db.collection("long_tasks").findOne({_id: paths[4]}, function(err, data) {
1936+
if (err) {
1937+
common.returnMessage(params, 400, err);
1938+
}
1939+
else {
1940+
var filename = data.report_name;
1941+
var type = filename.split(".");
1942+
type = type[type.length - 1];
1943+
var myfile = paths[4];
1944+
var headers = {};
1945+
1946+
countlyFs.gridfs.getSize("task_results", myfile, {id: paths[4]}, function(err2, size) {
1947+
if (err2) {
1948+
common.returnMessage(params, 400, err2);
19631949
}
1964-
}
1965-
else {
1966-
countlyFs.gridfs.getStream("task_results", myfile, {id: myfile}, function(err5, stream) {
1967-
if (err5) {
1968-
common.returnMessage(params, 400, "Export stream does not exist");
1950+
else if (parseInt(size) === 0) {
1951+
if (data.type !== "dbviewer") {
1952+
common.returnMessage(params, 400, "Export size is 0");
19691953
}
1970-
else {
1954+
//handling older aggregations that aren't saved in countly_fs
1955+
else if (!data.gridfs && data.data) {
1956+
type = "json";
1957+
filename = data.name + "." + type;
19711958
headers = {};
19721959
headers["Content-Type"] = countlyApi.data.exports.getType(type);
19731960
headers["Content-Disposition"] = "attachment;filename=" + encodeURIComponent(filename);
19741961
params.res.writeHead(200, headers);
1975-
stream.pipe(params.res);
1962+
params.res.write(data.data);
1963+
params.res.end();
19761964
}
1977-
});
1978-
}
1979-
});
1980-
}
1981-
1982-
});
1983-
}
1984-
else {
1985-
common.returnMessage(params, 400, 'Missing filename');
1986-
}
1965+
}
1966+
else {
1967+
countlyFs.gridfs.getStream("task_results", myfile, {id: myfile}, function(err5, stream) {
1968+
if (err5) {
1969+
common.returnMessage(params, 400, "Export stream does not exist");
1970+
}
1971+
else {
1972+
headers = {};
1973+
headers["Content-Type"] = countlyApi.data.exports.getType(type);
1974+
headers["Content-Disposition"] = "attachment;filename=" + encodeURIComponent(filename);
1975+
params.res.writeHead(200, headers);
1976+
stream.pipe(params.res);
1977+
}
1978+
});
1979+
}
1980+
});
1981+
}
1982+
});
1983+
}
1984+
else {
1985+
common.returnMessage(params, 400, 'Missing filename');
1986+
}
1987+
});
19871988
break;
19881989
}
19891990
case 'data':

frontend/express/public/core/report-manager/javascripts/countly.views.js

+2-2
Original file line numberDiff line numberDiff line change
@@ -389,8 +389,8 @@
389389
}
390390
else if (command === "download-task") {
391391
self.$emit("download-task", row);
392-
var app_id = row.type === "dbviewer" ? "" : "&app_id=" + row.app_id + "";
393-
var link = countlyCommon.API_PARTS.data.r + '/export/download/' + row._id + "?auth_token=" + countlyGlobal.auth_token + app_id;
392+
var app_id = row.app_id && row.app_id !== "undefined" ? row.app_id : countlyCommon.ACTIVE_APP_ID;
393+
var link = countlyCommon.API_PARTS.data.r + '/export/download/' + row._id + "?auth_token=" + countlyGlobal.auth_token + "&app_id=" + app_id;
394394
window.location = link;
395395
}
396396
}

0 commit comments

Comments
 (0)