COG-GTM · devin-ai-integration · Jul 28, 2025
diff --git a/routes/index.js b/routes/index.js
@@ -36,11 +36,13 @@ exports.index = function (req, res, next) {
 
 exports.loginHandler = function (req, res, next) {
   if (validator.isEmail(req.body.username)) {
-    User.find({ username: req.body.username, password: req.body.password }, function (err, users) {
+    const username = req.body.username.toString();
+    const password = req.body.password.toString();
+
+    User.find({ username: username, password: password }, function (err, users) {
       if (users.length > 0) {
         const redirectPage = req.body.redirectPage
         const session = req.session
-        const username = req.body.username
         return adminLoginSuccess(redirectPage, session, username, res)
       } else {
         return res.status(401).send()
@@ -58,7 +60,11 @@ function adminLoginSuccess(redirectPage, session, username, res) {
   console.log(`User logged in: ${username}`)
 
   if (redirectPage) {
-      return res.redirect(redirectPage)
+      if (redirectPage.startsWith('/') && !redirectPage.startsWith('//')) {
+          return res.redirect(redirectPage)
+      } else {
+          return res.redirect('/admin')
+      }
   } else {
       return res.redirect('/admin')
   }
@@ -158,12 +164,11 @@ exports.create = function (req, res, next) {
     var url = item.match(imgRegex)[1];
     console.log('found img: ' + url);
 
-    exec('identify ' + url, function (err, stdout, stderr) {
-      console.log(err);
-      if (err !== null) {
-        console.log('Error (' + err + '):' + stderr);
-      }
-    });
+    if (validator.isURL(url, { protocols: ['http', 'https'] })) {
+      console.log('Image URL validated but command execution disabled for security');
+    } else {
+      console.log('Invalid image URL provided');
+    }
 
   } else {
     item = parse(item);
@@ -254,14 +259,25 @@ exports.import = function (req, res, next) {
   if (importedFileType["mime"] === zipFileExt["mime"]) {
     var zip = AdmZip(importFile.data);
     var extracted_path = "/tmp/extracted_files";
-    zip.extractAllTo(extracted_path, true);
-    data = "No backup.txt file found";
-    fs.readFile('backup.txt', 'ascii', function (err, data) {
-      if (!err) {
-        data = data;
-      }
+
+    var zipEntries = zip.getEntries();
+    var hasUnsafePath = zipEntries.some(function(entry) {
+      var entryName = entry.entryName;
+      return entryName.includes('../') || entryName.startsWith('/') || entryName.includes('..\\');
     });
-  } else {
+
+    if (hasUnsafePath) {
+      data = "Unsafe zip file detected - extraction blocked for security";
+    } else {
+      zip.extractAllTo(extracted_path, true);
+      data = "No backup.txt file found";
+      fs.readFile('backup.txt', 'ascii', function (err, data) {
+        if (!err) {
+          data = data;
+        }
+      });
+    }
+  }else {
     data = importFile.data.toString('ascii');
   }
   var lines = data.split('\n');
@@ -344,7 +360,13 @@ exports.chat = {
       icon: '👋',
     };
 
-    _.merge(message, req.body.message, {
+    const userMessage = req.body.message || {};
+    const safeMessage = {
+      text: userMessage.text ? userMessage.text.toString() : '',
+      icon: userMessage.icon ? userMessage.icon.toString() : message.icon
+    };
+
+    Object.assign(message, safeMessage, {
       id: lastId++,
       timestamp: Date.now(),
       userName: user.name,