[CSA-28] Use path normalization in API requests (#4580)

* Use path normalization in API requests * Remove CLI webpack config change that's unneeded * Add additional tests
2025-12-15 15:53:27 +00:00 · 2023-02-03 14:24:49 -05:00
parent ff143760d4
commit 6df37dd715
5 changed files with 34 additions and 6 deletions
--- a/libs/common/src/misc/utils.ts
+++ b/libs/common/src/misc/utils.ts
@@ -1,4 +1,6 @@
 /* eslint-disable no-useless-escape */
+import * as path from "path";
+
 import { getHostname, parse } from "tldts";
 import { Merge } from "type-fest";

@@ -498,6 +500,15 @@ export class Utils {
    );
  }

+  /**
+   * Normalizes a path for defense against attacks like traversals
+   * @param denormalizedPath
+   * @returns
+   */
+  static normalizePath(denormalizedPath: string): string {
+    return path.normalize(decodeURIComponent(denormalizedPath)).replace(/^(\.\.(\/|\\|$))+/, "");
+  }
+
  private static isMobile(win: Window) {
    let mobile = false;
    ((a) => {
--- a/libs/common/src/services/api.service.ts
+++ b/libs/common/src/services/api.service.ts
@@ -1962,11 +1962,8 @@ export class ApiService implements ApiServiceAbstraction {
  ): Promise<any> {
    apiUrl = Utils.isNullOrWhitespace(apiUrl) ? this.environmentService.getApiUrl() : apiUrl;

-    const requestUrl = apiUrl + path;
    // Prevent directory traversal from malicious paths
-    if (new URL(requestUrl).href !== requestUrl) {
-      return Promise.reject("Invalid request url path.");
-    }
+    const requestUrl = apiUrl + Utils.normalizePath(path);

    const headers = new Headers({
      "Device-Type": this.deviceType,