From 9d2d1c5a1b3bd440d2f17257e16c76cce3b1ddf6 Mon Sep 17 00:00:00 2001
From: Nathan Brahms <nbrahms@users.noreply.github.com>
Date: Mon, 26 Feb 2024 09:57:00 -0800
Subject: [PATCH] auth: Prevent cache path traversal (#36)

e.g. if someone typed in a poison role name in `p0 aws role assume`.
---
 src/drivers/auth.ts | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/drivers/auth.ts b/src/drivers/auth.ts
index e8a1074..b70b27e 100644
--- a/src/drivers/auth.ts
+++ b/src/drivers/auth.ts
@@ -32,11 +32,13 @@ export const cached = async <T>(
   loader: () => Promise<T>,
   options: { duration: number }
 ): Promise<T> => {
-  const loc = path.join(
-    path.dirname(IDENTITY_FILE_PATH),
-    "cache",
-    `${name}.json`
-  );
+  const cachePath = path.join(path.dirname(IDENTITY_FILE_PATH), "cache");
+  // Following lines sanitize input
+  // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
+  const loc = path.resolve(path.join(cachePath, `${name}.json`));
+  if (!loc.startsWith(cachePath)) {
+    throw new Error("Illegal path traversal");
+  }
 
   const loadCache = async () => {
     const data = await loader();