From b99103d3f7a050cd31e198e3860d432ba01a327d Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kspearrin@users.noreply.github.com>
Date: Wed, 10 Nov 2021 15:13:13 -0500
Subject: [PATCH] validate path for directory traversal (#540)

* validate path for directory traversal

* use previously constructed requestUrl
---
 common/src/services/api.service.ts | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/common/src/services/api.service.ts b/common/src/services/api.service.ts
index b7fff0ce8eb..a2c8ee4a380 100644
--- a/common/src/services/api.service.ts
+++ b/common/src/services/api.service.ts
@@ -1609,6 +1609,13 @@ export class ApiService implements ApiServiceAbstraction {
         authed: boolean, hasResponse: boolean, apiUrl?: string,
         alterHeaders?: (headers: Headers) => void): Promise<any> {
         apiUrl = Utils.isNullOrWhitespace(apiUrl) ? this.environmentService.getApiUrl() : apiUrl;
+
+        const requestUrl = apiUrl + path;
+        // Prevent directory traversal from malicious paths
+        if (new URL(requestUrl).href !== requestUrl) {
+            return Promise.reject('Invalid request url path.');
+        }
+
         const headers = new Headers({
             'Device-Type': this.deviceType,
         });
@@ -1647,7 +1654,7 @@ export class ApiService implements ApiServiceAbstraction {
         }
 
         requestInit.headers = headers;
-        const response = await this.fetch(new Request(apiUrl + path, requestInit));
+        const response = await this.fetch(new Request(requestUrl, requestInit));
 
         if (hasResponse && response.status === 200) {
             const responseJson = await response.json();