remove dependency

Author: dcshzj

package-lock.json

@@ -112,9 +112,7 @@
     "validator": "^13.12.0",
     "winston": "^3.13.0",
     "winston-cloudwatch": "^6.3.0",
-    "yaml": "^2.4.2",
-    "zod": "^3.25.76",
-    "zod-validation-error": "^3.5.3"
+    "yaml": "^2.4.2"
   },
   "devDependencies": {
     "@octokit/types": "^6.35.0",

package.json

@@ -20,8 +20,6 @@ import { NotFoundError } from "@errors/NotFoundError"
 
 import tracer from "@utils/tracer"
 
-import { createPathSchema } from "@validators/path"
-
 import {
   EFS_VOL_PATH_STAGING,
   EFS_VOL_PATH_STAGING_LITE,
@@ -44,6 +42,7 @@ import type {
 import type { IsomerCommitMessage } from "@root/types/github"
 import { ALLOWED_FILE_EXTENSIONS } from "@root/utils/file-upload-utils"
 import { getPaginatedDirectoryContents } from "@root/utils/files"
+import { isSafePath } from "@root/validators/validators"
 
 // methods that do not need to be wrapped for instrumentation
 const METHOD_INSTRUMENTATION_BLACKLIST = [
@@ -372,10 +371,9 @@ export default class GitFileSystemService {
     // traversal attacks
     const repoBaseDirectory = `${efsVolPath}/${repoName}`
     const fullFilePath = path.resolve(repoBaseDirectory, filePath)
-    const pathSchema = createPathSchema({ basePath: repoBaseDirectory })
-    const parsedPathResult = pathSchema.safeParse(fullFilePath)
+    const isSafe = isSafePath(fullFilePath, repoBaseDirectory)
 
-    if (!parsedPathResult.success) {
+    if (!isSafe) {
       logger.error(`Invalid file path: ${filePath} for repo: ${repoName}`)
       return errAsync(new BadRequestError("Invalid file path"))
     }

src/services/db/GitFileSystemService.ts

@@ -1,3 +1,5 @@
+const path = require("path")
+
 const specialCharactersRegexTest = /[~%^*_+\-./\\`;~{}[\]"<>]/
 const jekyllFirstCharacterRegexTest = /^[._#~]/
 const dateRegexTest = /^[0-9]{4}-[0-9]{2}-[0-9]{2}$/
@@ -33,9 +35,35 @@ const isMediaPathValid = ({ path, isFile = false }) => {
 
 const isPasswordValid = (password) => passwordRegexTest.test(password)
 
+const isSafePath = (absPath, basePath) => {
+  // check for poison null bytes
+  if (absPath.indexOf("\0") !== -1) {
+    return false
+  }
+  // check for backslashes
+  if (absPath.indexOf("\\") !== -1) {
+    return false
+  }
+
+  // check for dot segments, even if they don't normalize to anything
+  if (absPath.includes("..")) {
+    return false
+  }
+
+  // check if the normalized path is within the provided 'safe' base path
+  if (path.resolve(basePath, path.relative(basePath, absPath)) !== absPath) {
+    return false
+  }
+  if (absPath.indexOf(basePath) !== 0) {
+    return false
+  }
+  return true
+}
+
 module.exports = {
   hasSpecialCharInTitle,
   isDateValid,
   isMediaPathValid,
   isPasswordValid,
+  isSafePath,
 }