Merge pull request #23 from contentstack/next

Fixed Semgrep issues

Author: harshithad0703

CHANGELOG.md

@@ -1,5 +1,9 @@
 ## Change log
 
+### Version: 4.0.4
+#### Date: July-10-2024
+Fixed semgrep issues
+
 ### Version: 4.0.3
 #### Date: June-11-2024
 Fixed region issue

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "@contentstack/delivery-sdk",
-  "version": "4.0.3",
+  "version": "4.0.4",
   "type": "commonjs",
   "main": "./dist/cjs/src/index.js",
   "types": "./dist/types/src/index.d.ts",

package.json

@@ -3,6 +3,10 @@ import { BaseQuery } from './base-query';
 import { BaseQueryParameters, QueryOperation, QueryOperator, TaxonomyQueryOperation } from './types';
 import { params, queryParams } from './internal-types';
 
+const safePatterns: RegExp[] = [
+  /^[a-zA-Z0-9_.-]+$/, // Alphanumeric with underscores, periods, and dashes
+];
+
 export class Query extends BaseQuery {
   private _contentTypeUid?: string;
 
@@ -23,19 +27,15 @@ export class Query extends BaseQuery {
     const alphanumericRegex = /^[a-zA-Z0-9_.-]+$/;
     return alphanumericRegex.test(input);
   }
-  // Validate if input is a valid regex pattern
+
+  // Validate if input matches any of the safe, pre-approved patterns
   private isValidRegexPattern(input: string): boolean {
-    try {
-      RegExp(input)
-      return true;
-    }
-    catch {
+    if (!this.isValidAlphanumeric(input)) {
       return false;
     }
-
+    return safePatterns.some(pattern => pattern.test(input));
   }
 
-  // Validate if value is an array of strings, numbers, or booleans
   private isValidValue(value: any[]): boolean {
     return Array.isArray(value) && value.every(item => typeof item === 'string' || typeof item === 'number' || typeof item === 'boolean');
   }

src/lib/query.ts

@@ -4,19 +4,15 @@ import MockAdapter from 'axios-mock-adapter';
 import { HOST_URL } from '../utils/constant';
 import { contentTypeQueryFindResponseDataMock } from '../utils/mocks';
 import axios, { Axios } from 'axios';
+import { MOCK_CLIENT_OPTIONS } from '../utils/constant';
 
 describe('ContentTypeQuery class', () => {
   let contentTypeQuery: ContentTypeQuery;
   let client: AxiosInstance;
   let mockClient: MockAdapter;
-  let clientConfig: HttpClientParams;
 
   beforeAll(() => {
-    clientConfig = {
-      apiKey: 'API_KEY',
-      accessToken: 'DELIVERY_TOKEN',
-    };
-    client = httpClient(clientConfig);
+    client = httpClient(MOCK_CLIENT_OPTIONS);
     mockClient = new MockAdapter(client as any);
   });
 

test/unit/contenttype-query.spec.ts

@@ -2,18 +2,14 @@ import { TaxonomyQuery } from "../../src/lib/taxonomy-query";
 import { AxiosInstance, HttpClientParams, httpClient } from "@contentstack/core";
 import MockAdapter from 'axios-mock-adapter';
 import { QueryOperation, QueryOperator, TaxonomyQueryOperation } from "../../src/lib/types";
+import { MOCK_CLIENT_OPTIONS } from '../utils/constant';
 
 describe("Taxonomy-query class", () => {
     let taxonomyQuery: TaxonomyQuery;
     let client: AxiosInstance;
-    let clientConfig: HttpClientParams;
 
     beforeAll(() => {
-        clientConfig = {
-            apiKey: 'API_KEY',
-            accessToken: 'DELIVERY_TOKEN',
-        };
-        client = httpClient(clientConfig);
+        client = httpClient(MOCK_CLIENT_OPTIONS);
     })
 
     beforeEach(() => {

test/unit/taxonomy-query.spec.ts

@@ -1,28 +1,65 @@
 const fs = require('fs');
 const path = require('path');
-/* eslint-enable */
+
+// To remove the relative path 
+function sanitizePath(str) {
+  return str ? str.replace(/^(\.\.(\/|\\|$))+/, '') : str;
+}
+
+
+function validateAndSanitize(input) {
+  // Allow only alphanumeric characters, dashes, underscores, and dots for file extensions
+  return input.replace(/[^a-zA-Z0-9-_\.]/g, '');
+}
+
+function ensureSafePath(basePath, targetPath) {
+  const resolvedBase = path.resolve(basePath);
+  const resolvedTarget = path.resolve(basePath, targetPath);
+
+  // console.log('Base Path:', resolvedBase);
+  // console.log('Target Path:', resolvedTarget);
+
+  if (resolvedTarget.indexOf(resolvedBase) !== 0) {
+    throw new Error(`Unsafe path detected: ${resolvedTarget} is not within ${resolvedBase}`);
+  }
+
+  return resolvedTarget;
+}
 
 const deleteFolderRecursive = (_path) => {
+  // console.log('Attempting to delete:', _path);
+
   if (fs.existsSync(_path)) {
-    fs.readdirSync(_path).forEach((file) => {
-      const curPath = path.join(_path, file);
+    const sanitizedPath = sanitizePath(_path);
+    fs.readdirSync(sanitizedPath).forEach((file) => {
+      const sanitizedFile = validateAndSanitize(file);
+      const curPath = ensureSafePath(_path, sanitizedFile);
+
+      // console.log('Deleting:', curPath);
+
       if (fs.lstatSync(curPath).isDirectory()) {
         deleteFolderRecursive(curPath);
       } else {
         fs.unlinkSync(curPath);
       }
     });
     fs.rmdirSync(_path);
+  } else {
+    console.log('Path does not exist:', _path);
   }
 };
 
+const rootDir = path.resolve(__dirname, '..'); // Set the base path to the root of the project
 const folder = process.argv.slice(2)[0];
+const sanitizedFolder = folder ? validateAndSanitize(folder) : null;
 
-if (folder) {
-  deleteFolderRecursive(path.join(__dirname, '../dist', folder));
+if (sanitizedFolder) {
+  // console.log('Sanitized folder:', sanitizedFolder);
+  deleteFolderRecursive(ensureSafePath(rootDir, path.join('dist', sanitizedFolder)));
 } else {
-  deleteFolderRecursive(path.join(__dirname, '../dist/cjs'));
-  deleteFolderRecursive(path.join(__dirname, '../dist/esm'));
-  deleteFolderRecursive(path.join(__dirname, '../dist/umd'));
-  deleteFolderRecursive(path.join(__dirname, '../dist/types'));
-}
+  // console.log('No folder specified, deleting default directories...');
+  deleteFolderRecursive(ensureSafePath(rootDir, 'dist/cjs'));
+  deleteFolderRecursive(ensureSafePath(rootDir, 'dist/esm'));
+  deleteFolderRecursive(ensureSafePath(rootDir, 'dist/umd'));
+  deleteFolderRecursive(ensureSafePath(rootDir, 'dist/types'));
+}