Fixed Semgrep issues (#22)

sunil-lakshman · web-flow · commit faa5bd387994 · 2024-07-05T12:35:17.000+05:30
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 ## Change log
 
+### Version: 4.0.4
+#### Date: July-09-2024
+Fixed semgrep issues
+
 ### Version: 4.0.3
 #### Date: June-11-2024
 Fixed region issue
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@contentstack/delivery-sdk",
-  "version": "4.0.3",
+  "version": "4.0.4",
   "type": "commonjs",
   "main": "./dist/cjs/src/index.js",
   "types": "./dist/types/src/index.d.ts",
diff --git a/src/lib/query.ts b/src/lib/query.ts
@@ -3,6 +3,10 @@ import { BaseQuery } from './base-query';
 import { BaseQueryParameters, QueryOperation, QueryOperator, TaxonomyQueryOperation } from './types';
 import { params, queryParams } from './internal-types';
 
+const safePatterns: RegExp[] = [
+  /^[a-zA-Z0-9_.-]+$/, // Alphanumeric with underscores, periods, and dashes
+];
+
 export class Query extends BaseQuery {
   private _contentTypeUid?: string;
 
@@ -23,19 +27,15 @@ export class Query extends BaseQuery {
     const alphanumericRegex = /^[a-zA-Z0-9_.-]+$/;
     return alphanumericRegex.test(input);
   }
-  // Validate if input is a valid regex pattern
+
+  // Validate if input matches any of the safe, pre-approved patterns
   private isValidRegexPattern(input: string): boolean {
-    try {
-      RegExp(input)
-      return true;
-    }
-    catch {
+    if (!this.isValidAlphanumeric(input)) {
       return false;
     }
-
+    return safePatterns.some(pattern => pattern.test(input));
   }
 
-  // Validate if value is an array of strings, numbers, or booleans
   private isValidValue(value: any[]): boolean {
     return Array.isArray(value) && value.every(item => typeof item === 'string' || typeof item === 'number' || typeof item === 'boolean');
   }
diff --git a/tools/cleanup.js b/tools/cleanup.js
@@ -1,28 +1,58 @@
 const fs = require('fs');
 const path = require('path');
-/* eslint-enable */
+
+function validateAndSanitize(input) {
+  // Allow only alphanumeric characters, dashes, underscores, and dots for file extensions
+  return input.replace(/[^a-zA-Z0-9-_\.]/g, '');
+}
+
+function ensureSafePath(basePath, targetPath) {
+  const resolvedBase = path.resolve(basePath);
+  const resolvedTarget = path.resolve(basePath, targetPath);
+
+  // console.log('Base Path:', resolvedBase);
+  // console.log('Target Path:', resolvedTarget);
+
+  if (resolvedTarget.indexOf(resolvedBase) !== 0) {
+    throw new Error(`Unsafe path detected: ${resolvedTarget} is not within ${resolvedBase}`);
+  }
+
+  return resolvedTarget;
+}
 
 const deleteFolderRecursive = (_path) => {
+  // console.log('Attempting to delete:', _path);
+
   if (fs.existsSync(_path)) {
     fs.readdirSync(_path).forEach((file) => {
-      const curPath = path.join(_path, file);
+      const sanitizedFile = validateAndSanitize(file);
+      const curPath = ensureSafePath(_path, sanitizedFile);
+
+      // console.log('Deleting:', curPath);
+
       if (fs.lstatSync(curPath).isDirectory()) {
         deleteFolderRecursive(curPath);
       } else {
         fs.unlinkSync(curPath);
       }
     });
     fs.rmdirSync(_path);
+  } else {
+    console.log('Path does not exist:', _path);
   }
 };
 
+const rootDir = path.resolve(__dirname, '..'); // Set the base path to the root of the project
 const folder = process.argv.slice(2)[0];
+const sanitizedFolder = folder ? validateAndSanitize(folder) : null;
 
-if (folder) {
-  deleteFolderRecursive(path.join(__dirname, '../dist', folder));
+if (sanitizedFolder) {
+  // console.log('Sanitized folder:', sanitizedFolder);
+  deleteFolderRecursive(ensureSafePath(rootDir, path.join('dist', sanitizedFolder)));
 } else {
-  deleteFolderRecursive(path.join(__dirname, '../dist/cjs'));
-  deleteFolderRecursive(path.join(__dirname, '../dist/esm'));
-  deleteFolderRecursive(path.join(__dirname, '../dist/umd'));
-  deleteFolderRecursive(path.join(__dirname, '../dist/types'));
-}
+  // console.log('No folder specified, deleting default directories...');
+  deleteFolderRecursive(ensureSafePath(rootDir, 'dist/cjs'));
+  deleteFolderRecursive(ensureSafePath(rootDir, 'dist/esm'));
+  deleteFolderRecursive(ensureSafePath(rootDir, 'dist/umd'));
+  deleteFolderRecursive(ensureSafePath(rootDir, 'dist/types'));
+}

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@contentstack/delivery-sdk",`
`3`		`- "version": "4.0.3",`
	`3`	`+ "version": "4.0.4",`
`4`	`4`	`"type": "commonjs",`
`5`	`5`	`"main": "./dist/cjs/src/index.js",`
`6`	`6`	`"types": "./dist/types/src/index.d.ts",`