contains-path-traversal
Version:
🚶 Does this string contain path traversal?
1 lines • 1.46 kB
Source Map (JSON)
{"version":3,"sources":["../src/index.ts"],"sourcesContent":["const MAX_DECODE_ROUNDS = 4; // %25-nesting and split-nibble tricks\n\ntype Options = {\n\t/**\n\t * Maximum number of decode iterations to perform.\n\t * Default: 4\n\t */\n\tmaxIterations?: number;\n};\n\n/**\n * Check for path traversal attempts in the given pathname.\n */\nexport function containsPathTraversal(\n\tpathname: string,\n\t{ maxIterations }: Options = {\n\t\tmaxIterations: MAX_DECODE_ROUNDS,\n\t},\n): boolean {\n\treturn recursiveDecode(pathname, 0, maxIterations).split(\"/\").includes(\"..\");\n}\n\n/**\n * decode a URI component multiple (limited) times until it no longer changes\n */\nfunction recursiveDecode(\n\tstring: string,\n\titeration: number,\n\tmaxIterations: number,\n): string {\n\tif (iteration >= maxIterations) return string;\n\ttry {\n\t\tconst decoded = decodeURIComponent(string);\n\t\tif (decoded === string) return string;\n\t\treturn recursiveDecode(decoded, iteration + 1, maxIterations);\n\t} catch {\n\t\treturn string;\n\t}\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAAM,oBAAoB;AAanB,SAAS,sBACf,UACA,EAAE,cAAc,IAAa;AAAA,EAC5B,eAAe;AAChB,GACU;AACV,SAAO,gBAAgB,UAAU,GAAG,aAAa,EAAE,MAAM,GAAG,EAAE,SAAS,IAAI;AAC5E;AAKA,SAAS,gBACR,QACA,WACA,eACS;AACT,MAAI,aAAa,cAAe,QAAO;AACvC,MAAI;AACH,UAAM,UAAU,mBAAmB,MAAM;AACzC,QAAI,YAAY,OAAQ,QAAO;AAC/B,WAAO,gBAAgB,SAAS,YAAY,GAAG,aAAa;AAAA,EAC7D,QAAQ;AACP,WAAO;AAAA,EACR;AACD;","names":[]}