PS-2450 EC-1073 Do not decode and normalize query (#4708)

Co-authored-by: Jake Fink <jfink@bitwarden.com>
This commit is contained in:
Matt Gibson 2023-02-10 12:34:19 -05:00 committed by GitHub
parent 6a7a7299c2
commit 13746c1840
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 1 deletions

View File

@ -1991,7 +1991,9 @@ export class ApiService implements ApiServiceAbstraction {
apiUrl = Utils.isNullOrWhitespace(apiUrl) ? this.environmentService.getApiUrl() : apiUrl; apiUrl = Utils.isNullOrWhitespace(apiUrl) ? this.environmentService.getApiUrl() : apiUrl;
// Prevent directory traversal from malicious paths // Prevent directory traversal from malicious paths
const requestUrl = apiUrl + Utils.normalizePath(path); const pathParts = path.split("?");
const requestUrl =
apiUrl + Utils.normalizePath(pathParts[0]) + (pathParts.length > 1 ? `?${pathParts[1]}` : "");
const headers = new Headers({ const headers = new Headers({
"Device-Type": this.deviceType, "Device-Type": this.deviceType,