fix: path traversal with more than two dots followed by a leading slash

flydrive-js · May 29, 2024 · 60cf8bf · 60cf8bf
1 parent 5b92cca
commit 60cf8bf
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 4 deletions.
diff --git a/src/key_normalizer.ts b/src/key_normalizer.ts
@@ -39,10 +39,13 @@ export class KeyNormalizer {
     let normalizedKey = string.condenseWhitespace(key)
 
     /**
-     * Normalize slashes to unix style
-     * Remove consecutive '/'
+     * - Normalize slashes to unix style
+     * - Remove consecutive '/'
+     * - Remove more than two dots + slash "..../" to "../"
      */
-    return slash(normalizedKey).replace(/\/{2,}/g, '/')
+    return slash(normalizedKey)
+      .replace(/\/{2,}/g, '/')
+      .replace(/\.{3,}\//g, '../')
   }
 
   /**
@@ -85,7 +88,7 @@ export class KeyNormalizer {
 
     /**
      * Remove leading and ending '/'
-     * Remove leading and ending '.'
+     * Remove leading and ending "."
      */
     return normalizedKey.replace(/^\/|\/$/g, '').replace(/^\.|\.$/g, '')
   }

diff --git a/tests/core/key_normalizer.spec.ts b/tests/core/key_normalizer.spec.ts
@@ -124,6 +124,15 @@ test.group('Key normalizer | Path traversal', () => {
       {
         key: '/./../some/dir',
       },
+      {
+        key: '.../foo/bar',
+      },
+      {
+        key: '\\something\\...\\...\\dirname',
+      },
+      {
+        key: 'beyond/root/.../',
+      },
     ])
     .run(({ assert }, { key }) => {
       assert.throws(
@@ -180,6 +189,10 @@ test.group('Key normalizer | Post normalization', () => {
         key: 'C\\dirname\\\\subdir\\\\\\subsubdir',
         output: 'C/dirname/subdir/subsubdir',
       },
+      {
+        key: '...hello-world',
+        output: '..hello-world',
+      },
     ])
     .run(({ assert }, { key, output }) => {
       assert.equal(new KeyNormalizer().normalize(key), output)