Address data migration review feedback

Author: ar2rsawseen

plugins/data_migration/api/api.js

@@ -411,7 +411,7 @@ function trim_ending_slashes(address) {
                     //delete info file
                     try {
                         var importInfoPath = common.resolvePathInBase(path.resolve(__dirname, './../import'), exportid + '.json');
-                        if (importInfoPath) {
+                        if (importInfoPath && fs.existsSync(importInfoPath)) {
                             fs.unlinkSync(importInfoPath);
                         }
                     }

plugins/data_migration/api/data_migration_helper.js

@@ -220,11 +220,11 @@ module.exports = function(my_db) {
         return new Promise(function(resolve, reject) {
             my_exportid = safeDataMigrationId(my_exportid);
             if (my_exportid) {
-                var baseFolder = path.resolve(__dirname, './../' + folder);
                 if (['import', 'export'].indexOf(folder) === -1) {
-                    reject(Error('data-migration.invalid-exportid'));
+                    reject(Error('data-migration.invalid-folder'));
                     return;
                 }
+                var baseFolder = path.resolve(__dirname, './../' + folder);
                 if (remove_archive) {
                     var archivePath = common.resolvePathInBase(baseFolder, my_exportid + '.tar.gz');
                     if (archivePath && fs.existsSync(archivePath)) {

plugins/data_migration/frontend/app.js

@@ -32,7 +32,12 @@ function safeFilename(filename) {
                         if (!err && data) {
                             var myfile = common.resolvePathInBase(path.resolve(__dirname, './../export'), exportid + '.tar.gz');
                             if (data.export_path && data.export_path !== '') {
-                                myfile = data.export_path;
+                                var customExportPath = path.resolve(data.export_path + "");
+                                if (path.basename(customExportPath) !== exportid + '.tar.gz') {
+                                    res.status(400).send('Invalid export file');
+                                    return;
+                                }
+                                myfile = customExportPath;
                             }
                             if (fs.existsSync(myfile)) {
                                 res.set('Content-Type', 'application/x-gzip');
@@ -44,6 +49,14 @@ function safeFilename(filename) {
                                 return;
                             }
                         }
+                        else if (err) {
+                            res.status(500).send('Error loading export file');
+                            return;
+                        }
+                        else {
+                            res.status(404).send('Export file not found');
+                            return;
+                        }
                     });
                 }
                 if (req.query && req.query.logfile) {

plugins/data_migration/tests/index.js

@@ -7,6 +7,7 @@ var path = require("path");
 var fs = require("fs"),
     readline = require('readline'),
     stream = require('stream');
+var os = require('os');
 var cp = require('child_process'); //call process
 const exec = cp.exec; //for calling command line
 const fse = require('fs-extra'); // delete folders
@@ -853,7 +854,7 @@ describe("Testing data migration plugin", function() {
                 });
         });
         it("rejects path traversal in import delete exportid", function(done) {
-            var traversalTarget = "/tmp/countly_data_migration_path_traversal_test";
+            var traversalTarget = path.join(os.tmpdir(), "countly_data_migration_path_traversal_test_" + Date.now());
             var traversalExportId = "../../../../../../../../.." + traversalTarget;
 
             fs.writeFileSync(traversalTarget, "test");