Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| }); | ||
|
|
||
| fs.writeFileSync( | ||
| `${presetsPath + presetFolder.filename}.json`, |
Check failure
Code scanning / CodeQL
Uncontrolled data used in path expression High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 months ago
To fix the issue, we need to ensure that presetFolder.filename is sanitized or validated before being used to construct the file path. Since the filename is expected to be a simple name without path components, we can use the sanitize-filename npm package to remove any special characters or path traversal sequences. This will ensure that the constructed file path remains within the intended directory.
Steps to fix:
- Install the
sanitize-filenamepackage if it is not already installed. - Import the
sanitize-filenamepackage insrc/backend/utils/presetHelpers.ts. - Use
sanitizeFilenameto sanitizepresetFolder.filenamebefore constructing the file path in thesavePresetFolderfunction.
| @@ -4,2 +4,3 @@ | ||
| import fs from 'fs'; | ||
| import sanitizeFilename from 'sanitize-filename'; | ||
| import { | ||
| @@ -392,4 +393,5 @@ | ||
|
|
||
| const sanitizedFilename = sanitizeFilename(presetFolder.filename); | ||
| fs.writeFileSync( | ||
| `${presetsPath + presetFolder.filename}.json`, | ||
| `${presetsPath + sanitizedFilename}.json`, | ||
| fileData, |
| @@ -154,3 +154,4 @@ | ||
| "uuidv4": "^6.2.13", | ||
| "zustand": "^4.5.1" | ||
| "zustand": "^4.5.1", | ||
| "sanitize-filename": "^1.6.3" | ||
| }, |
| Package | Version | Security advisories |
| sanitize-filename (npm) | 1.6.3 | None |
| preset: Preset, | ||
| ): void => { | ||
| if (!presetFolder.presetsHash) { | ||
| presetFolder.presetsHash = {}; |
Check warning
Code scanning / CodeQL
Prototype-polluting assignment Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 months ago
To fix the issue, we need to prevent prototype pollution by ensuring that user-controlled keys cannot modify Object.prototype. This can be achieved by:
- Using a
Mapinstead of a plain object forpresetsHash, asMapdoes not inherit fromObject.prototypeand is immune to prototype pollution. - Alternatively, creating a prototype-less object using
Object.create(null)forpresetsHashensures that it does not inherit fromObject.prototype.
The best approach here is to use Object.create(null) for presetsHash to minimize changes to the existing codebase while addressing the vulnerability.
| @@ -404,3 +404,3 @@ | ||
| if (!presetFolder.presetsHash) { | ||
| presetFolder.presetsHash = {}; | ||
| presetFolder.presetsHash = Object.create(null); | ||
| } |
…ignment Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
| const newParent = createNewParent(parentPath); | ||
|
|
||
| if (!server.parentRoutesHash) { | ||
| server.parentRoutesHash = Object.create(null); |
Check warning
Code scanning / CodeQL
Prototype-polluting assignment Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 months ago
To fix the issue, we need to ensure that keys assigned to server.parentRoutesHash are sanitized to prevent prototype-polluting keys like __proto__, constructor, or prototype. This can be achieved by validating the newParent.id before using it as a key. If the key is invalid, we should throw an error or handle it appropriately.
The best approach is to add a utility function to validate keys and use it in the ensureParentExists function. This ensures that only safe keys are used in the assignment.
| @@ -155,2 +155,6 @@ | ||
|
|
||
| const isValidKey = (key: string): boolean => { | ||
| return !['__proto__', 'constructor', 'prototype'].includes(key); | ||
| }; | ||
|
|
||
| export const ensureParentExists = ( | ||
| @@ -170,2 +174,7 @@ | ||
| } | ||
|
|
||
| if (!isValidKey(newParent.id)) { | ||
| throw new Error(`Invalid key detected: ${newParent.id}`); | ||
| } | ||
|
|
||
| server.parentRoutesHash[newParent.id] = newParent; |
2 participants
No description provided.