fix: directly copy path validator code over

Author: dcshzj

package-lock.json

@@ -41,7 +41,6 @@
     "@octokit/rest": "^20.1.1",
     "@opengovsg/formsg-sdk": "^0.11.0",
     "@opengovsg/sgid-client": "^2.0.0",
-    "@opengovsg/starter-kitty-validators": "^1.2.11",
     "@slack/bolt": "^3.19.0",
     "auto-bind": "^4.0.0",
     "aws-lambda": "^1.0.7",
@@ -113,7 +112,9 @@
     "validator": "^13.12.0",
     "winston": "^3.13.0",
     "winston-cloudwatch": "^6.3.0",
-    "yaml": "^2.4.2"
+    "yaml": "^2.4.2",
+    "zod": "^3.25.76",
+    "zod-validation-error": "^3.5.3"
   },
   "devDependencies": {
     "@octokit/types": "^6.35.0",

package.json

@@ -1,7 +1,6 @@
 import fs from "fs"
 import path from "path"
 
-import { createPathSchema } from "@opengovsg/starter-kitty-validators"
 import { err, errAsync, ok, okAsync, Result, ResultAsync } from "neverthrow"
 import {
   CleanOptions,
@@ -21,6 +20,8 @@ import { NotFoundError } from "@errors/NotFoundError"
 
 import tracer from "@utils/tracer"
 
+import { createPathSchema } from "@validators/path"
+
 import {
   EFS_VOL_PATH_STAGING,
   EFS_VOL_PATH_STAGING_LITE,

src/services/db/GitFileSystemService.ts

@@ -0,0 +1,99 @@
+import path from "path"
+
+import { ZodSchema, z } from "zod"
+import { fromError } from "zod-validation-error"
+
+class OptionsError extends Error {
+  constructor(message: string) {
+    super(message)
+    this.name = "OptionsError"
+  }
+}
+
+/**
+ * The options to use for path validation.
+ *
+ * @public
+ */
+interface PathValidatorOptions {
+  /**
+   * The base path to use for validation. This must be an absolute path.
+   *
+   * All provided paths, resolved relative to the working directory of the Node process,
+   * must be within this directory (or its subdirectories), or they will be considered unsafe.
+   * You should provide a safe base path that does not contain sensitive files or directories.
+   *
+   * @example `'/var/www'`
+   */
+  basePath: string
+}
+
+const optionsSchema = z.object({
+  basePath: z
+    .string()
+    .refine(
+      (basePath) =>
+        basePath === path.resolve(basePath) && path.isAbsolute(basePath),
+      "The base path must be an absolute path"
+    ),
+})
+
+type ParsedPathValidatorOptions = z.infer<typeof optionsSchema>
+
+export const isSafePath = (absPath: string, basePath: string): boolean => {
+  // check for poison null bytes
+  if (absPath.indexOf("\0") !== -1) {
+    return false
+  }
+  // check for backslashes
+  if (absPath.indexOf("\\") !== -1) {
+    return false
+  }
+
+  // check for dot segments, even if they don't normalize to anything
+  if (absPath.includes("..")) {
+    return false
+  }
+
+  // check if the normalized path is within the provided 'safe' base path
+  if (path.resolve(basePath, path.relative(basePath, absPath)) !== absPath) {
+    return false
+  }
+  if (absPath.indexOf(basePath) !== 0) {
+    return false
+  }
+  return true
+}
+
+const createValidationSchema = (options: ParsedPathValidatorOptions) =>
+  z
+    .string()
+    // resolve the path relative to the Node process's current working directory
+    // since that's what fs operations will be relative to
+    .transform((untrustedPath) => path.resolve(untrustedPath))
+    // resolvedPath is now an absolute path
+    .refine((resolvedPath) => isSafePath(resolvedPath, options.basePath), {
+      message: "The provided path is unsafe.",
+    })
+
+const toSchema = (options: ParsedPathValidatorOptions) =>
+  z.string().trim().pipe(createValidationSchema(options))
+
+/**
+ * Create a schema that validates user-supplied pathnames for filesystem operations.
+ *
+ * @param options - The options to use for validation
+ * @throws {@link OptionsError} If the options are invalid
+ * @returns A Zod schema that validates paths.
+ *
+ * @public
+ */
+export const createPathSchema = (
+  options: PathValidatorOptions
+): ZodSchema<string> => {
+  const result = optionsSchema.safeParse(options)
+  if (result.success) {
+    return toSchema(result.data)
+  }
+  throw new OptionsError(fromError(result.error).toString())
+}