diff --git a/src/serve_style.js b/src/serve_style.js index 866e1f5..8e6b74f 100644 --- a/src/serve_style.js +++ b/src/serve_style.js @@ -122,8 +122,9 @@ export const serve_style = { ); return res.sendStatus(404); } - const spriteScale = allowedSpriteScales(scale); + const sprite = item.spritePaths.find((sprite) => sprite.id === spriteID); + const spriteScale = allowedSpriteScales(scale); if (!sprite || spriteScale === null) { if (verbose) console.error( @@ -136,7 +137,9 @@ export const serve_style = { return res.status(400).send('Bad Sprite ID or Scale'); } - const filename = `${sprite.path}${spriteScale}.${validatedFormat}`; + const sanitizedSpritePath = sprite.path.replace(/^(\.\.\/)+/, ''); + + const filename = `${sanitizedSpritePath}${spriteScale}.${validatedFormat}`; if (verbose) console.log(`Loading sprite from: %s`, filename); // eslint-disable-next-line security/detect-non-literal-fs-filename @@ -151,9 +154,9 @@ export const serve_style = { return res.sendStatus(404); } - if (format === 'json') { + if (validatedFormat === 'json') { res.header('Content-type', 'application/json'); - } else if (format === 'png') { + } else if (validatedFormat === 'png') { res.header('Content-type', 'image/png'); } if (verbose) diff --git a/src/utils.js b/src/utils.js index d0ebd85..7f85bca 100644 --- a/src/utils.js +++ b/src/utils.js @@ -196,19 +196,29 @@ export function fixTileJSONCenter(tileJSON) { */ function getFontPbf(allowedFonts, fontPath, name, range, fallbacks) { return new Promise((resolve, reject) => { - const fontMatch = name?.match(/^[\w\s-]+$/); - if (!name || typeof name !== 'string' || name.trim() === '' || !fontMatch) { - console.error('ERROR: Invalid font name: %s', 'invalid'); - return reject('Invalid font name'); - } - const sanitizedName = fontMatch[0]; - const filename = path.join(fontPath, sanitizedName, `${range}.pbf`); - - if (!/^\d+-\d+$/.test(range)) { - console.error('ERROR: Invalid range: %s', range); - return reject('Invalid range'); - } if (!allowedFonts || (allowedFonts[name] && fallbacks)) { + const fontMatch = name?.match(/^[\w\s-]+$/); + if ( + !name || + typeof name !== 'string' || + name.trim() === '' || + !fontMatch + ) { + console.error('ERROR: Invalid font name: %s', 'invalid'); + return reject('Invalid font name'); + } + const sanitizedName = fontMatch[0]; + console.error('ERROR: Invalid font name: %s', sanitizedName); + if (!/^\d+-\d+$/.test(range)) { + console.error('ERROR: Invalid range: %s', range); + return reject('Invalid range'); + } + const sanitizedFontPath = fontPath.replace(/^(\.\.\/)+/, ''); + const filename = path.join( + sanitizedFontPath, + sanitizedName, + `${range}.pbf`, + ); if (!fallbacks) { fallbacks = clone(allowedFonts || {}); } @@ -224,7 +234,7 @@ function getFontPbf(allowedFonts, fontPath, name, range, fallbacks) { if (fallbacks && Object.keys(fallbacks).length) { let fallbackName; - let fontStyle = sanitizedName.split(' ').pop(); + let fontStyle = name.split(' ').pop(); if (['Regular', 'Bold', 'Italic'].indexOf(fontStyle) < 0) { fontStyle = 'Regular'; } @@ -235,6 +245,7 @@ function getFontPbf(allowedFonts, fontPath, name, range, fallbacks) { fallbackName = Object.keys(fallbacks)[0]; } } + console.error( `ERROR: Trying to use %s as a fallback for: %s`, fallbackName,