UNPKG

@aikidosec/firewall

Version:

Zen by Aikido is an embedded Web Application Firewall that autonomously protects Node.js apps against common and critical attacks

aikido.dev/zen

AikidoSec/firewall-node

55 lines (54 loc) 1.84 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.startsWithUnsafePath = startsWithUnsafePath; const path_1 = require("path"); const wrap_1 = require("../../helpers/wrap"); const linuxRootFolders = [ "/bin/", "/boot/", "/dev/", "/etc/", "/home/", "/init/", "/lib/", "/media/", "/mnt/", "/opt/", "/proc/", "/root/", "/run/", "/sbin/", "/srv/", "/sys/", "/tmp/", "/usr/", "/var/", ]; const dangerousPathStarts = [...linuxRootFolders, "c:/", "c:\\"]; function startsWithUnsafePath(filePath, userInput) { // Check if path is relative (not absolute or drive letter path) // Required because resolve will build absolute paths from relative paths if (!(0, path_1.isAbsolute)(filePath) || !(0, path_1.isAbsolute)(userInput)) { return false; } let origResolve = path_1.resolve; if ((0, wrap_1.isWrapped)(path_1.resolve)) { origResolve = path_1.resolve.__original; } const normalizedPath = origResolve(filePath).toLowerCase(); const normalizedUserInput = origResolve(userInput).toLowerCase(); for (const dangerousStart of dangerousPathStarts) { if (normalizedPath.startsWith(dangerousStart) && normalizedPath.startsWith(normalizedUserInput)) { // If the user input is the same as the dangerous start, we don't want to flag it to prevent false positives // e.g. if user input is /etc/ and the path is /etc/passwd, we don't want to flag it, as long as the // user input does not contain a subdirectory or filename if (userInput === dangerousStart || userInput === dangerousStart.slice(0, -1)) { return false; } return true; } } return false; }