☁️ Fix server sync file download when server-files are in .config (#6010)

* fix server sync file download when server-files are in .config directory on linux * extra security * release notes * putting it back after testing * also accounting for directories * derp
2026-04-28 18:40:34 -05:00 · 2025-10-27 20:11:40 +00:00
parent 45a4f0a40d
commit 37481535e7
3 changed files with 19 additions and 1 deletions
--- a/packages/desktop-client/.gitignore
+++ b/packages/desktop-client/.gitignore
@@ -31,3 +31,6 @@ public/*.wasm

 # translations
 locale/
+
+# service worker build output
+dev-dist
--- a/packages/sync-server/src/app-sync.ts
+++ b/packages/sync-server/src/app-sync.ts
@@ -1,6 +1,7 @@
 // @ts-strict-ignore
 import { Buffer } from 'node:buffer';
 import fs from 'node:fs/promises';
+import { resolve } from 'node:path';

 import { SyncProtoBuf } from '@actual-app/crdt';
 import express from 'express';
@@ -306,8 +307,16 @@ app.get('/download-user-file', async (req, res) => {
    return;
  }

+  const path = getPathForUserFile(fileId);
+
+  if (!path.startsWith(resolve(config.get('userFiles')))) {
+    //Ensure the user doesn't try to access files outside of the user files directory
+    res.status(403).send('Access denied');
+    return;
+  }
+
  res.setHeader('Content-Disposition', `attachment;filename=${fileId}`);
-  res.sendFile(getPathForUserFile(fileId));
+  res.sendFile(path, { dotfiles: 'allow' });
 });

 app.post('/update-user-filename', (req, res) => {
--- a/upcoming-release-notes/6010.md
+++ b/upcoming-release-notes/6010.md
@@ -0,0 +1,6 @@
+---
+category: Bugfix
+authors: [MikesGlitch]
+---
+
+Fix sync server file download when files are in .config directory on linux