validate path for directory traversal (#540)

* validate path for directory traversal

* use previously constructed requestUrl
This commit is contained in:
Kyle Spearrin 2021-11-10 15:13:13 -05:00 committed by GitHub
parent 1b4a5508bd
commit b99103d3f7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 1 deletions

View File

@ -1609,6 +1609,13 @@ export class ApiService implements ApiServiceAbstraction {
authed: boolean, hasResponse: boolean, apiUrl?: string, authed: boolean, hasResponse: boolean, apiUrl?: string,
alterHeaders?: (headers: Headers) => void): Promise<any> { alterHeaders?: (headers: Headers) => void): Promise<any> {
apiUrl = Utils.isNullOrWhitespace(apiUrl) ? this.environmentService.getApiUrl() : apiUrl; apiUrl = Utils.isNullOrWhitespace(apiUrl) ? this.environmentService.getApiUrl() : apiUrl;
const requestUrl = apiUrl + path;
// Prevent directory traversal from malicious paths
if (new URL(requestUrl).href !== requestUrl) {
return Promise.reject('Invalid request url path.');
}
const headers = new Headers({ const headers = new Headers({
'Device-Type': this.deviceType, 'Device-Type': this.deviceType,
}); });
@ -1647,7 +1654,7 @@ export class ApiService implements ApiServiceAbstraction {
} }
requestInit.headers = headers; requestInit.headers = headers;
const response = await this.fetch(new Request(apiUrl + path, requestInit)); const response = await this.fetch(new Request(requestUrl, requestInit));
if (hasResponse && response.status === 200) { if (hasResponse && response.status === 200) {
const responseJson = await response.json(); const responseJson = await response.json();