diff --git a/src/services/directoryServices/ResourceDirectoryService.js b/src/services/directoryServices/ResourceDirectoryService.js index ee218a55e..b2b88f0ab 100644 --- a/src/services/directoryServices/ResourceDirectoryService.js +++ b/src/services/directoryServices/ResourceDirectoryService.js @@ -7,6 +7,8 @@ const { } = require("@utils/markdown-utils") const { slugifyCollectionName } = require("@utils/utils") +const { isSafePath } = require("@root/validators/validators") + const INDEX_FILE_NAME = "index.html" class ResourceDirectoryService { @@ -79,7 +81,13 @@ class ResourceDirectoryService { sessionData, { resourceRoomName, resourceCategoryName } ) { - if (/[^a-zA-Z0-9- ]/g.test(resourceCategoryName)) { + if ( + /[^a-zA-Z0-9- ]/g.test(resourceCategoryName) || + !isSafePath( + `/${resourceRoomName}/${resourceCategoryName}`, + `/${resourceRoomName}` + ) + ) { // Contains non-allowed characters throw new BadRequestError( "Special characters not allowed in resource category name" @@ -111,7 +119,13 @@ class ResourceDirectoryService { githubSessionData, { resourceRoomName, resourceCategoryName, newDirectoryName } ) { - if (/[^a-zA-Z0-9- ]/g.test(newDirectoryName)) { + if ( + /[^a-zA-Z0-9- ]/g.test(newDirectoryName) || + !isSafePath( + `/${resourceRoomName}/${newDirectoryName}`, + `/${resourceRoomName}` + ) + ) { // Contains non-allowed characters throw new BadRequestError( "Special characters not allowed in resource category name" diff --git a/src/services/fileServices/MdPageServices/ResourcePageService.js b/src/services/fileServices/MdPageServices/ResourcePageService.js index 99bd64566..4317193c5 100644 --- a/src/services/fileServices/MdPageServices/ResourcePageService.js +++ b/src/services/fileServices/MdPageServices/ResourcePageService.js @@ -5,7 +5,11 @@ const { convertDataToMarkdown, } = require("@utils/markdown-utils") -const { hasSpecialCharInTitle, isDateValid } = require("@validators/validators") +const { + hasSpecialCharInTitle, + isDateValid, + isSafePath, +} = require("@validators/validators") class ResourcePageService { constructor({ gitHubService }) { @@ -16,7 +20,7 @@ class ResourcePageService { const fileNameArray = fileName.split(".md")[0] const tokenArray = fileNameArray.split("-") const date = tokenArray.slice(0, 3).join("-") - if (!isDateValid(date)) + if (!isDateValid(date) || !isSafePath(`/${fileName}`, "/")) throw new BadRequestError("Special characters not allowed in file name") const type = ["file", "post", "link"].includes(tokenArray[3]) diff --git a/src/services/fileServices/MdPageServices/SubcollectionPageService.js b/src/services/fileServices/MdPageServices/SubcollectionPageService.js index 06372d38f..299e15042 100644 --- a/src/services/fileServices/MdPageServices/SubcollectionPageService.js +++ b/src/services/fileServices/MdPageServices/SubcollectionPageService.js @@ -6,7 +6,7 @@ const { } = require("@utils/markdown-utils") const { deslugifyCollectionName } = require("@utils/utils") -const { hasSpecialCharInTitle } = require("@validators/validators") +const { hasSpecialCharInTitle, isSafePath } = require("@validators/validators") class SubcollectionPageService { constructor({ gitHubService, collectionYmlService }) { @@ -27,7 +27,11 @@ class SubcollectionPageService { ) { if ( !shouldIgnoreCheck && - hasSpecialCharInTitle({ title: fileName, isFile: true }) + (hasSpecialCharInTitle({ title: fileName, isFile: true }) || + !isSafePath( + `/${collectionName}/${subcollectionName}/${fileName}`, + `/${collectionName}` + )) ) throw new BadRequestError( `Special characters not allowed when creating files. Given name: ${fileName}` @@ -117,7 +121,13 @@ class SubcollectionPageService { sha, } ) { - if (hasSpecialCharInTitle({ title: newFileName, isFile: true })) + if ( + hasSpecialCharInTitle({ title: newFileName, isFile: true }) || + !isSafePath( + `/${collectionName}/${subcollectionName}/${newFileName}`, + `/${collectionName}` + ) + ) throw new BadRequestError( `Special characters not allowed when renaming files. Given name: ${newFileName}` )