From ef0a397029ac7a512e6cd16be2a78dabffe1557e Mon Sep 17 00:00:00 2001 From: Hiago Lucas Cardeal de Melo Silva Date: Mon, 27 Feb 2023 12:28:17 -0300 Subject: [PATCH] add path traversal validation --- CHANGELOG.md | 3 +++ node/clients/intelligent-search-api.ts | 12 ++++++++++++ 2 files changed, 15 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3f2a9727..c47cfa8c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ## [Unreleased] +### Added +- Path traversal validation. + ## [1.64.0] - 2023-02-24 ### Added diff --git a/node/clients/intelligent-search-api.ts b/node/clients/intelligent-search-api.ts index e2557a13..959044f0 100644 --- a/node/clients/intelligent-search-api.ts +++ b/node/clients/intelligent-search-api.ts @@ -1,6 +1,7 @@ import { ExternalClient, InstanceOptions, IOContext } from "@vtex/api"; import { parseState } from "../utils/searchState"; +const isPathTraversal = (str: string) => str.indexOf('..') >= 0 interface CorrectionParams { query: string } @@ -77,10 +78,18 @@ export class IntelligentSearchApi extends ExternalClient { } public async banners(params: BannersArgs, path: string) { + if (isPathTraversal(path)) { + throw new Error("Malformed URL") + } + return this.http.get(`/banners/${path}`, {params: {...params, query: params.query, locale: this.locale}, metric: 'banners'}) } public async facets(params: FacetsArgs, path: string, shippingHeader?: string[]) { + if (isPathTraversal(path)) { + throw new Error("Malformed URL") + } + const {query, leap, searchState} = params return this.http.get(`/facets/${path}`, { @@ -100,6 +109,9 @@ export class IntelligentSearchApi extends ExternalClient { public async productSearch(params: SearchResultArgs, path: string, shippingHeader?: string[]) { const {query, leap, searchState} = params + if (isPathTraversal(path)) { + throw new Error("Malformed URL") + } return this.http.get(`/product_search/${path}`, { params: {