fix: validate path is safe for creates (#1469)

dcshzj · web-flow · commit c74d82c6de2d · 2025-12-04T15:41:09.000+08:00
diff --git a/src/services/directoryServices/ResourceDirectoryService.js b/src/services/directoryServices/ResourceDirectoryService.js
@@ -7,6 +7,8 @@ const {
 } = require("@utils/markdown-utils")
 const { slugifyCollectionName } = require("@utils/utils")
 
+const { isSafePath } = require("@root/validators/validators")
+
 const INDEX_FILE_NAME = "index.html"
 
 class ResourceDirectoryService {
@@ -79,7 +81,13 @@ class ResourceDirectoryService {
     sessionData,
     { resourceRoomName, resourceCategoryName }
   ) {
-    if (/[^a-zA-Z0-9- ]/g.test(resourceCategoryName)) {
+    if (
+      /[^a-zA-Z0-9- ]/g.test(resourceCategoryName) ||
+      !isSafePath(
+        `/${resourceRoomName}/${resourceCategoryName}`,
+        `/${resourceRoomName}`
+      )
+    ) {
       // Contains non-allowed characters
       throw new BadRequestError(
         "Special characters not allowed in resource category name"
@@ -111,7 +119,13 @@ class ResourceDirectoryService {
     githubSessionData,
     { resourceRoomName, resourceCategoryName, newDirectoryName }
   ) {
-    if (/[^a-zA-Z0-9- ]/g.test(newDirectoryName)) {
+    if (
+      /[^a-zA-Z0-9- ]/g.test(newDirectoryName) ||
+      !isSafePath(
+        `/${resourceRoomName}/${newDirectoryName}`,
+        `/${resourceRoomName}`
+      )
+    ) {
       // Contains non-allowed characters
       throw new BadRequestError(
         "Special characters not allowed in resource category name"
diff --git a/src/services/fileServices/MdPageServices/ResourcePageService.js b/src/services/fileServices/MdPageServices/ResourcePageService.js
@@ -5,7 +5,11 @@ const {
   convertDataToMarkdown,
 } = require("@utils/markdown-utils")
 
-const { hasSpecialCharInTitle, isDateValid } = require("@validators/validators")
+const {
+  hasSpecialCharInTitle,
+  isDateValid,
+  isSafePath,
+} = require("@validators/validators")
 
 class ResourcePageService {
   constructor({ gitHubService }) {
@@ -16,7 +20,7 @@ class ResourcePageService {
     const fileNameArray = fileName.split(".md")[0]
     const tokenArray = fileNameArray.split("-")
     const date = tokenArray.slice(0, 3).join("-")
-    if (!isDateValid(date))
+    if (!isDateValid(date) || !isSafePath(`/${fileName}`, "/"))
       throw new BadRequestError("Special characters not allowed in file name")
 
     const type = ["file", "post", "link"].includes(tokenArray[3])
diff --git a/src/services/fileServices/MdPageServices/SubcollectionPageService.js b/src/services/fileServices/MdPageServices/SubcollectionPageService.js
@@ -6,7 +6,7 @@ const {
 } = require("@utils/markdown-utils")
 const { deslugifyCollectionName } = require("@utils/utils")
 
-const { hasSpecialCharInTitle } = require("@validators/validators")
+const { hasSpecialCharInTitle, isSafePath } = require("@validators/validators")
 
 class SubcollectionPageService {
   constructor({ gitHubService, collectionYmlService }) {
@@ -27,7 +27,11 @@ class SubcollectionPageService {
   ) {
     if (
       !shouldIgnoreCheck &&
-      hasSpecialCharInTitle({ title: fileName, isFile: true })
+      (hasSpecialCharInTitle({ title: fileName, isFile: true }) ||
+        !isSafePath(
+          `/${collectionName}/${subcollectionName}/${fileName}`,
+          `/${collectionName}`
+        ))
     )
       throw new BadRequestError(
         `Special characters not allowed when creating files. Given name: ${fileName}`
@@ -117,7 +121,13 @@ class SubcollectionPageService {
       sha,
     }
   ) {
-    if (hasSpecialCharInTitle({ title: newFileName, isFile: true }))
+    if (
+      hasSpecialCharInTitle({ title: newFileName, isFile: true }) ||
+      !isSafePath(
+        `/${collectionName}/${subcollectionName}/${newFileName}`,
+        `/${collectionName}`
+      )
+    )
       throw new BadRequestError(
         `Special characters not allowed when renaming files. Given name: ${newFileName}`
       )
