@aikidosec/firewall
Version:
Zen by Aikido is an embedded Application Firewall that autonomously protects Node.js apps against common and critical attacks, provides rate limiting, detects malicious traffic (including bots), and more.
58 lines (57 loc) • 2.12 kB
JavaScript
;
Object.defineProperty(exports, "__esModule", { value: true });
exports.checkContextForPathTraversal = checkContextForPathTraversal;
const attackPath_1 = require("../../helpers/attackPath");
const extractPathStringsFromUserInputCached_1 = require("../../helpers/extractPathStringsFromUserInputCached");
const getSourceForUserString_1 = require("../../helpers/getSourceForUserString");
const detectPathTraversal_1 = require("./detectPathTraversal");
/**
* This function goes over all the different input types in the context and checks
* if it possibly implies Path Traversal, if so the function returns an InterceptorResult
*/
function checkContextForPathTraversal({ filename, operation, context, checkPathStart = true, }) {
const isUrl = filename instanceof URL;
const pathString = pathToString(filename);
if (!pathString) {
return;
}
for (const str of (0, extractPathStringsFromUserInputCached_1.extractPathStringsFromUserInputCached)(context)) {
if ((0, detectPathTraversal_1.detectPathTraversal)(pathString, str, checkPathStart, isUrl)) {
const source = (0, getSourceForUserString_1.getSourceForUserString)(context, str);
if (source) {
return {
operation: operation,
kind: "path_traversal",
source: source,
pathsToPayload: (0, attackPath_1.getPathsToPayload)(str, context[source]),
metadata: {
filename: pathString,
},
payload: str,
};
}
}
}
}
/**
* Convert a fs path argument (string, Buffer, URL) to a string
*/
function pathToString(path) {
if (typeof path === "string") {
return path;
}
if (path instanceof URL) {
return path.pathname;
}
if (path instanceof Buffer) {
try {
return new TextDecoder("utf-8", {
fatal: true,
}).decode(path);
}
catch {
return undefined;
}
}
return undefined;
}