Merge pull request #2 from cabraviva/dev

cabraviva · web-flow · commit b6d2319eac91 · 2024-12-31T10:26:43.000+01:00
Fixed a security vulnerability
diff --git a/lib/index.test.ts b/lib/index.test.ts
@@ -192,4 +192,8 @@ describe('sanitize() - Vulnerability Tests', () => {
     it('Protects reported vulnerability #1', () => {
         expect(linuxSlash(join('/var/app-dir', sanitize("..=%5c..=%5c..=%5c..=%5c..=%5c..=%5c..=%5cetc/passwd")))).not.toBe('/etc/passwd')
     })
+
+    it('Protects reported vulnerability #2', () => {
+        expect(linuxSlash(join('/var/app', sanitize("./../../test/../../../../../../../../../../etc/passwd")))).not.toBe('/etc/passwd')
+    })
 })
diff --git a/lib/index.ts b/lib/index.ts
@@ -103,6 +103,20 @@ export default function sanitize(pathstr: string, options: SanitizeOptions = DEF
     // Replace double (back)slashes with a single slash
     sanitizedPath = sanitizedPath.replace(/[\/\\]+/g, '/')
 
+    // Replace /../ with /
+    sanitizedPath = sanitizedPath.replace(options.parentDirectoryRegEx, '/')
+
+    // Remove ./ or / at start
+    while (sanitizedPath.startsWith('/') || sanitizedPath.startsWith('./') || sanitizedPath.endsWith('/..') || sanitizedPath.endsWith('/../') || sanitizedPath.startsWith('../') || sanitizedPath.startsWith('/../')) {
+        sanitizedPath = sanitizedPath.replace(/^\.\//g, '') // ^./
+        sanitizedPath = sanitizedPath.replace(/^\//g, '') // ^/
+        // Remove ../ | /../ at pos 0 and /.. | /../ at end
+        sanitizedPath = sanitizedPath.replace(/^[\/\\]\.\.[\/\\]/g, '/')
+        sanitizedPath = sanitizedPath.replace(/^\.\.[\/\\]/g, '/')
+        sanitizedPath = sanitizedPath.replace(/[\/\\]\.\.$/g, '/')
+        sanitizedPath = sanitizedPath.replace(/[\/\\]\.\.\/$/g, '/')
+    }
+
     // Make sure out is not "."
     sanitizedPath = sanitizedPath.trim() === '.' ? '' : sanitizedPath
 
diff --git a/package.json b/package.json
@@ -20,8 +20,8 @@
     "homepage": "https://github.com/cabraviva/path-sanitizer#readme",
     "types": "dist/index.d.ts",
     "devDependencies": {
-        "@types/node": "^22.9.3",
+        "@types/node": "^22.10.2",
         "typescript": "^5.7.2",
-        "vitest": "^2.1.5"
+        "vitest": "^2.1.8"
     }
 }
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml

Original file line number	Diff line number	Diff line change
`@@ -20,8 +20,8 @@`
`20`	`20`	`"homepage": "https://github.com/cabraviva/path-sanitizer#readme",`
`21`	`21`	`"types": "dist/index.d.ts",`
`22`	`22`	`"devDependencies": {`
`23`		`- "@types/node": "^22.9.3",`
	`23`	`+ "@types/node": "^22.10.2",`
`24`	`24`	`"typescript": "^5.7.2",`
`25`		`- "vitest": "^2.1.5"`
	`25`	`+ "vitest": "^2.1.8"`
`26`	`26`	`}`
`27`	`27`	`}`