From bb2e75880592b804ba20ba70b8e9f0b185ea5a79 Mon Sep 17 00:00:00 2001 From: Cabra Viva Date: Tue, 31 Dec 2024 10:23:57 +0100 Subject: [PATCH] Fixed a security advisory GHSA-94p5-r7cc-3rpr --- lib/index.test.ts | 4 ++++ lib/index.ts | 14 ++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/lib/index.test.ts b/lib/index.test.ts index 7e70410..78c5989 100644 --- a/lib/index.test.ts +++ b/lib/index.test.ts @@ -192,4 +192,8 @@ describe('sanitize() - Vulnerability Tests', () => { it('Protects reported vulnerability #1', () => { expect(linuxSlash(join('/var/app-dir', sanitize("..=%5c..=%5c..=%5c..=%5c..=%5c..=%5c..=%5cetc/passwd")))).not.toBe('/etc/passwd') }) + + it('Protects reported vulnerability #2', () => { + expect(linuxSlash(join('/var/app', sanitize("./../../test/../../../../../../../../../../etc/passwd")))).not.toBe('/etc/passwd') + }) }) diff --git a/lib/index.ts b/lib/index.ts index f1d4dae..3c08a33 100644 --- a/lib/index.ts +++ b/lib/index.ts @@ -103,6 +103,20 @@ export default function sanitize(pathstr: string, options: SanitizeOptions = DEF // Replace double (back)slashes with a single slash sanitizedPath = sanitizedPath.replace(/[\/\\]+/g, '/') + // Replace /../ with / + sanitizedPath = sanitizedPath.replace(options.parentDirectoryRegEx, '/') + + // Remove ./ or / at start + while (sanitizedPath.startsWith('/') || sanitizedPath.startsWith('./') || sanitizedPath.endsWith('/..') || sanitizedPath.endsWith('/../') || sanitizedPath.startsWith('../') || sanitizedPath.startsWith('/../')) { + sanitizedPath = sanitizedPath.replace(/^\.\//g, '') // ^./ + sanitizedPath = sanitizedPath.replace(/^\//g, '') // ^/ + // Remove ../ | /../ at pos 0 and /.. | /../ at end + sanitizedPath = sanitizedPath.replace(/^[\/\\]\.\.[\/\\]/g, '/') + sanitizedPath = sanitizedPath.replace(/^\.\.[\/\\]/g, '/') + sanitizedPath = sanitizedPath.replace(/[\/\\]\.\.$/g, '/') + sanitizedPath = sanitizedPath.replace(/[\/\\]\.\.\/$/g, '/') + } + // Make sure out is not "." sanitizedPath = sanitizedPath.trim() === '.' ? '' : sanitizedPath