From 64e0bbab47917ab6e0ec01787fe33951513b6eee Mon Sep 17 00:00:00 2001
From: lucaswadedavis <luke@patreon.com>
Date: Fri, 16 Dec 2016 19:24:17 -0800
Subject: [PATCH] Sanitize user input seed.

---
 package.json | 1 +
 server.js    | 5 +++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/package.json b/package.json
index d619ed9..121bea8 100644
--- a/package.json
+++ b/package.json
@@ -21,6 +21,7 @@
     "chance": "^1.0.4",
     "express": "^4.14.0",
     "node-gyp": "^3.4.0",
+    "sanitize-filename": "^1.6.1",
     "uuid": "^3.0.1"
   }
 }
diff --git a/server.js b/server.js
index 344884b..5205be9 100644
--- a/server.js
+++ b/server.js
@@ -1,6 +1,7 @@
 var fs = require('fs');
 var express = require('express');
 var uuid = require('uuid/v4');
+var sanitize = require('sanitize-filename');
 var Canvas = require('canvas');
 
 var Fox = require('./js/fox.js');
@@ -54,9 +55,9 @@ app.get('/:width', function(req, res) {
 
 app.get('/:width/:seed', function(req, res) {
     var width = parseInt(req.params.width);
-    var seed = req.params.seed;
+    var seed = sanitize(req.params.seed);
     if (width === undefined) width = 400;
-    if (seed === undefined) seed = uuid();
+    if (!seed) seed = uuid();
     var fileName = writeFoxToDisk(width, width, seed);
     res.send('<img src="/' + fileName + '"/>');
 });