Merge pull request #450 from vtex-apps/bugfix/avoid-path-traversal

add path traversal validation
vtex-apps · Feb 27, 2023 · 1d123d8 · 1d123d8
2 parents 4189f2f + ef0a397
commit 1d123d8
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+### Added
+- Path traversal validation.
+
 ## [1.64.0] - 2023-02-24
 
 ### Added

diff --git a/node/clients/intelligent-search-api.ts b/node/clients/intelligent-search-api.ts
@@ -1,6 +1,7 @@
 import { ExternalClient, InstanceOptions, IOContext } from "@vtex/api";
 import { parseState } from "../utils/searchState";
 
+const isPathTraversal = (str: string) => str.indexOf('..') >= 0
 interface CorrectionParams {
   query: string
 }
@@ -77,10 +78,18 @@ export class IntelligentSearchApi extends ExternalClient {
   }
 
   public async banners(params: BannersArgs, path: string) {
+    if (isPathTraversal(path)) {
+      throw new Error("Malformed URL")
+    }
+
     return this.http.get(`/banners/${path}`, {params: {...params, query: params.query, locale: this.locale}, metric: 'banners'})
   }
 
   public async facets(params: FacetsArgs, path: string, shippingHeader?: string[]) {
+    if (isPathTraversal(path)) {
+      throw new Error("Malformed URL")
+    }
+
     const {query, leap, searchState} = params
 
     return this.http.get(`/facets/${path}`, {
@@ -100,6 +109,9 @@ export class IntelligentSearchApi extends ExternalClient {
 
   public async productSearch(params: SearchResultArgs, path: string, shippingHeader?: string[]) {
     const {query, leap, searchState} = params
+    if (isPathTraversal(path)) {
+      throw new Error("Malformed URL")
+    }
 
     return this.http.get(`/product_search/${path}`, {
       params: {