Merge pull request #192 from SalesforceCommerceCloud/url-fixes

@W-18131752@ URL adjustments

Author: vcua-mobify

CHANGELOG.md

@@ -3,6 +3,7 @@
 ## v3.3.0
 - Allow custom params for 'loginGuestUser', 'authorizeIDP' and custom body for 'loginRegisteredUserB2C' functions [#186](https://github.com/SalesforceCommerceCloud/commerce-sdk-isomorphic/pull/186)
 - Add helper to encode special SCAPI characters [#189](https://github.com/SalesforceCommerceCloud/commerce-sdk-isomorphic/pull/189)
+- Normalize URLs to remove the possibility of path traversal from fetch calls [#192](https://github.com/SalesforceCommerceCloud/commerce-sdk-isomorphic/pull/192)
 
 ## v3.2.0
 

package.json

@@ -181,7 +181,7 @@
     },
     {
       "path": "commerce-sdk-isomorphic-with-deps.tgz",
-      "maxSize": "562 kB"
+      "maxSize": "565 kB"
     }
   ],
   "proxy": "https://SHORTCODE.api.commercecloud.salesforce.com"

scripts/utils.ts

@@ -140,6 +140,7 @@ export async function updateApis(
   deployment: RegExp,
   rootPath: string
 ): Promise<void> {
+  /* eslint-disable-next-line no-console */
   console.warn('updateApis is deprecated. Use downloadLatestApis instead.');
 
   const matchedApis = await download.search(`"${name}"`, deployment);

src/static/templateUrl.test.ts

@@ -103,3 +103,41 @@ it.each([
 ])('combines %s, %s and %s into %s', (url, base, parameters, expected) => {
   expect(new TemplateURL(url, base, parameters).toString()).toBe(expected);
 });
+
+it.each([
+  ['../simple', 'https://example.com', {}, 'https://example.com/simple'],
+  ['%2e%2e%2f/simple', 'https://example.com', {}, 'https://example.com/simple'],
+  ['%2E%2E%2F/simple', 'https://example.com', {}, 'https://example.com/simple'],
+  [
+    '%252e%252e%252fsimple',
+    'https://example.com',
+    {},
+    'https://example.com/simple',
+  ],
+  [
+    '..%252e%252e%252f./simple',
+    'https://example.com',
+    {},
+    'https://example.com/simple',
+  ],
+  [
+    '%252E%252e%252F./../%2e%2f/simple',
+    'https://example.com',
+    {},
+    'https://example.com/simple',
+  ],
+  [
+    'simple?q=aa.aaa/',
+    'https://example.com',
+    {},
+    'https://example.com/simple?q=aa.aaa/',
+  ],
+  [
+    '../simple/{sub}//',
+    'https://example.com',
+    {pathParams: {sub: 'one'}},
+    'https://example.com/simple/one/',
+  ],
+])('Normalize %s path', (url, base, parameters, expected) => {
+  expect(new TemplateURL(url, base, parameters).toString()).toBe(expected);
+});

src/static/templateUrl.ts

@@ -86,11 +86,22 @@ export default class TemplateURL extends URL {
     template: string,
     parameters?: PathParameters
   ): string {
-    return parameters
+    let templatedUrl = parameters
       ? template.replace(
           /\{([^\}]+)\}/g /* eslint-disable-line no-useless-escape */,
           (match, param: string) => String(parameters[param])
         )
       : template;
+
+    // Regex for ./ ../ and encoded variants
+    const pathTraversalRegex =
+      /(\.|%2e|%2E|%252e|%252E)+(\/|%2f|%2F|%252f|%252F)+/g;
+
+    if (templatedUrl.match(pathTraversalRegex)) {
+      /* eslint-disable-next-line no-console */
+      console.warn('Path traversal attempt detected. Normalizing url');
+      templatedUrl = templatedUrl.replace(pathTraversalRegex, '');
+    }
+    return templatedUrl;
   }
 }