Skip to content

Commit

Permalink
Merge pull request #2 from cabraviva/dev
Browse files Browse the repository at this point in the history 
Fixed a security vulnerability
  • Loading branch information
@cabraviva
cabraviva authored Dec 31, 2024
2 parents b37caa7 + bb2e758 commit b6d2319
Show file tree
Hide file tree
Showing 4 changed files with 80 additions and 62 deletions.
4 changes: 4 additions & 0 deletions lib/index.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -192,4 +192,8 @@ describe('sanitize() - Vulnerability Tests', () => {
it('Protects reported vulnerability #1', () => {
expect(linuxSlash(join('/var/app-dir', sanitize("..=%5c..=%5c..=%5c..=%5c..=%5c..=%5c..=%5cetc/passwd")))).not.toBe('/etc/passwd')
})

it('Protects reported vulnerability #2', () => {
expect(linuxSlash(join('/var/app', sanitize("./../../test/../../../../../../../../../../etc/passwd")))).not.toBe('/etc/passwd')
})
})
14 changes: 14 additions & 0 deletions lib/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,20 @@ export default function sanitize(pathstr: string, options: SanitizeOptions = DEF
// Replace double (back)slashes with a single slash
sanitizedPath = sanitizedPath.replace(/[\/\\]+/g, '/')

// Replace /../ with /
sanitizedPath = sanitizedPath.replace(options.parentDirectoryRegEx, '/')

// Remove ./ or / at start
while (sanitizedPath.startsWith('/') || sanitizedPath.startsWith('./') || sanitizedPath.endsWith('/..') || sanitizedPath.endsWith('/../') || sanitizedPath.startsWith('../') || sanitizedPath.startsWith('/../')) {
sanitizedPath = sanitizedPath.replace(/^\.\//g, '') // ^./
sanitizedPath = sanitizedPath.replace(/^\//g, '') // ^/
// Remove ../ | /../ at pos 0 and /.. | /../ at end
sanitizedPath = sanitizedPath.replace(/^[\/\\]\.\.[\/\\]/g, '/')
sanitizedPath = sanitizedPath.replace(/^\.\.[\/\\]/g, '/')
sanitizedPath = sanitizedPath.replace(/[\/\\]\.\.$/g, '/')
sanitizedPath = sanitizedPath.replace(/[\/\\]\.\.\/$/g, '/')
}

// Make sure out is not "."
sanitizedPath = sanitizedPath.trim() === '.' ? '' : sanitizedPath

Expand Down
4 changes: 2 additions & 2 deletions package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,8 @@
"homepage": "https://github.com/cabraviva/path-sanitizer#readme",
"types": "dist/index.d.ts",
"devDependencies": {
"@types/node": "^22.9.3",
"@types/node": "^22.10.2",
"typescript": "^5.7.2",
"vitest": "^2.1.5"
"vitest": "^2.1.8"
}
}
120 changes: 60 additions & 60 deletions pnpm-lock.yaml
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit b6d2319

Please sign in to comment.