more robust url checking (#422)

gabor · web-flow · commit d7972444d64f · 2024-06-13T14:38:25.000+02:00
diff --git a/src/api.ts b/src/api.ts
@@ -158,7 +158,9 @@ export default class Api {
   }
 }
 
-function isSafeURL(url: string) {
+function isSafeURL(origUrl: string) {
+  // browsers interpret backslash as slash
+  const url = origUrl.replace(/\\/g, '/');
   if (url.endsWith('/..')) {
     return false;
   }
diff --git a/src/datasource.test.ts b/src/datasource.test.ts
@@ -42,14 +42,25 @@ test('range gets converted into unix epoch notation', () => {
 describe('datasource', () => {
   it('should not allow urls that contains ..', async () => {
     const ds = new JsonDataSource({ url: 'http://localhost:3000', jsonData: {} } as any);
-    const badPaths = ['/..', '/..?', '/../../', '/../..?'];
+    const badPaths = [
+      '/..',
+      '\\..',
+      '/..?',
+      '\\..?',
+      '/../../',
+      '\\../../',
+      '/..\\../',
+      '\\..\\../',
+      '/../..?',
+      '\\../..?',
+    ];
 
     for (let path of badPaths) {
       const response = ds.doRequest({ urlPath: path, method: 'GET' } as any);
       await expect(response).rejects.toThrowError('URL path contains unsafe characters');
     }
 
-    const goodPaths = ['/..thing', '/one..two/', '/thing../'];
+    const goodPaths = ['/..thing', '\\..thing', '/one..two/', '\\one..two\\', '/thing../', '\\thing..\\'];
 
     for (let path of goodPaths) {
       const response = ds.doRequest({ urlPath: path, method: 'GET' } as any);

Original file line number	Diff line number	Diff line change
`@@ -158,7 +158,9 @@ export default class Api {`
`158`	`158`	`}`
`159`	`159`	`}`
`160`	`160`
`161`		`-function isSafeURL(url: string) {`
	`161`	`+function isSafeURL(origUrl: string) {`
	`162`	`+ // browsers interpret backslash as slash`
	`163`	`+ const url = origUrl.replace(/\\/g, '/');`
`162`	`164`	`if (url.endsWith('/..')) {`
`163`	`165`	`return false;`
`164`	`166`	`}`