From a2711cfb7b5b454182393aa160e45ccbf52c949d Mon Sep 17 00:00:00 2001
From: zadam <zadam.apps@gmail.com>
Date: Sat, 18 May 2024 05:50:46 +0200
Subject: [PATCH] verify that the uploaded modified file is temporary

---
 package-lock.json       | 4 ++--
 src/routes/api/files.js | 8 ++++++++
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index c8c24644e..6e63af257 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "trilium",
-  "version": "0.63.3",
+  "version": "0.63.5",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "trilium",
-      "version": "0.63.3",
+      "version": "0.63.5",
       "hasInstallScript": true,
       "license": "AGPL-3.0-only",
       "dependencies": {
diff --git a/src/routes/api/files.js b/src/routes/api/files.js
index 72bd0ee11..ee4e5c884 100644
--- a/src/routes/api/files.js
+++ b/src/routes/api/files.js
@@ -154,12 +154,16 @@ function saveAttachmentToTmpDir(req) {
     return saveToTmpDir(fileName, content, 'attachments', attachment.attachmentId);
 }
 
+const createdTemporaryFiles = new Set();
+
 function saveToTmpDir(fileName, content, entityType, entityId) {
     const tmpObj = tmp.fileSync({ postfix: fileName });
 
     fs.writeSync(tmpObj.fd, content);
     fs.closeSync(tmpObj.fd);
 
+    createdTemporaryFiles.add(tmpObj.name);
+
     log.info(`Saved temporary file ${tmpObj.name}`);
 
     if (utils.isElectron()) {
@@ -183,6 +187,10 @@ function uploadModifiedFileToNote(req) {
     const noteId = req.params.noteId;
     const {filePath} = req.body;
 
+    if (!createdTemporaryFiles.has(filePath)) {
+        throw new ValidationError(`File '${filePath}' is not a temporary file.`);
+    }
+
     const note = becca.getNoteOrThrow(noteId);
 
     log.info(`Updating note '${noteId}' with content from '${filePath}'`);