Merge pull request #1126 from contentstack/fix/CS-42005

fix: added pathValidator utility method
contentstack · Nov 3, 2023 · 324c11c · 324c11c
2 parents ddca58e + 5d6b89a
commit 324c11c
Show file tree

Hide file tree

Showing 14 changed files with 39 additions and 18 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/packages/contentstack-bootstrap/package.json b/packages/contentstack-bootstrap/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@contentstack/cli-cm-bootstrap",
   "description": "Bootstrap contentstack apps",
-  "version": "1.6.0",
+  "version": "1.6.1",
   "author": "Contentstack",
   "bugs": "https://github.com/contentstack/cli/issues",
   "scripts": {

diff --git a/packages/contentstack-bootstrap/src/bootstrap/interactive.ts b/packages/contentstack-bootstrap/src/bootstrap/interactive.ts
@@ -3,6 +3,7 @@ const inquirer = require('inquirer');
 import { cliux } from '@contentstack/cli-utilities';
 
 import messageHandler from '../messages';
+import { pathValidator } from '@contentstack/cli-utilities';
 
 /**
  * @description Inquire starter app
@@ -58,7 +59,8 @@ export async function inquireCloneDirectory(): Promise<string> {
       message: messageHandler.parse('CLI_BOOTSTRAP_APP_COPY_SOURCE_CODE_DESTINATION_ENQUIRY'),
     },
   ]);
-  selectedCustomPath = path.resolve(selectedCustomPath.path);
+  pathValidator.validatePath(selectedCustomPath.path);
+  selectedCustomPath = path.normalize(selectedCustomPath.path);
   return selectedCustomPath;
 }
 

diff --git a/packages/contentstack-bootstrap/src/bootstrap/utils.ts b/packages/contentstack-bootstrap/src/bootstrap/utils.ts
@@ -130,6 +130,7 @@ const envFileHandler = async (
     customHost = region.cma && region.cma.substring('8');
   }
   const production = environmentVariables.environment === 'production' ? true : false;
+  // Note: clonedDirectory is already sanitised.
   switch (appConfigKey) {
     case 'reactjs':
     case 'reactjs-starter':

diff --git a/packages/contentstack-bulk-publish/package.json b/packages/contentstack-bulk-publish/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@contentstack/cli-cm-bulk-publish",
   "description": "Contentstack CLI plugin for bulk publish actions",
-  "version": "1.3.13",
+  "version": "1.3.14",
   "author": "Contentstack",
   "bugs": "https://github.com/contentstack/cli/issues",
   "dependencies": {

diff --git a/packages/contentstack-bulk-publish/src/util/store.js b/packages/contentstack-bulk-publish/src/util/store.js
@@ -2,6 +2,7 @@ const fs = require('fs');
 const path = require('path');
 const config = require('../config/index.js');
 const chalk = require('chalk');
+const { pathValidator } = require('@contentstack/cli-utilities');
 
 function save(key, data) {
   let bulkPublish = config ? config : {};
@@ -49,6 +50,7 @@ function get(key, filePath) {
 
 function updateMissing(key, flags) {
   let savedConfig;
+  pathValidator.validatePath(flags.config);
   savedConfig = get(key, path.resolve(flags.config));
   Object.keys(savedConfig).forEach((element) => {
     if (flags[element] === undefined) {

diff --git a/packages/contentstack-clone/package.json b/packages/contentstack-clone/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@contentstack/cli-cm-clone",
   "description": "Contentstack stack clone plugin",
-  "version": "1.6.0",
+  "version": "1.6.1",
   "author": "Contentstack",
   "bugs": "https://github.com/rohitmishra209/cli-cm-clone/issues",
   "dependencies": {

diff --git a/packages/contentstack-clone/src/lib/util/log.js b/packages/contentstack-clone/src/lib/util/log.js
@@ -8,6 +8,7 @@ var winston = require('winston');
 var path = require('path');
 var mkdirp = require('mkdirp');
 var slice = Array.prototype.slice;
+const { pathValidator } = require('@contentstack/cli-utilities');
 
 function returnString(args) {
   var returnStr = '';
@@ -41,6 +42,7 @@ var myCustomLevels = {
 };
 
 function init(_logPath, logfileName) {
+  pathValidator.validatePath(logfileName);
   var logsDir = path.resolve(_logPath, 'logs', 'import');
   // Create dir if doesn't already exist
   mkdirp.sync(logsDir);

diff --git a/packages/contentstack-migrate-rte/package.json b/packages/contentstack-migrate-rte/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@contentstack/cli-cm-migrate-rte",
   "description": "Contentstack CLI plugin to migrate HTML RTE to JSON RTE",
-  "version": "1.4.13",
+  "version": "1.4.14",
   "author": "contentstack",
   "bugs": "https://github.com/contentstack/cli/issues",
   "dependencies": {

diff --git a/packages/contentstack-migrate-rte/src/lib/util/index.js b/packages/contentstack-migrate-rte/src/lib/util/index.js
@@ -15,6 +15,7 @@ const {
   isPlainObject,
 } = require('lodash');
 const Validator = require('jsonschema').Validator;
+const { pathValidator } = require('@contentstack/cli-utilities');
 const configSchema = require('./config_schema.json');
 const { JSDOM } = require('jsdom');
 const collapseWithSpace = require('collapse-whitespace');
@@ -88,6 +89,7 @@ async function getConfig(flags) {
     let config;
     if (flags['config-path']) {
       const configPath = flags['config-path'];
+      pathValidator.validatePath(configPath);
       config = require(nodePath.resolve(configPath));
     } else {
       config = {

diff --git a/packages/contentstack-migration/package.json b/packages/contentstack-migration/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@contentstack/cli-migration",
-  "version": "1.3.14",
+  "version": "1.3.15",
   "author": "@contentstack",
   "bugs": "https://github.com/contentstack/cli/issues",
   "dependencies": {

diff --git a/packages/contentstack-migration/src/commands/cm/stacks/migration.js b/packages/contentstack-migration/src/commands/cm/stacks/migration.js
@@ -8,6 +8,7 @@ const Listr = require('listr');
 const { resolve, extname } = require('path');
 const { Command } = require('@contentstack/cli-command');
 const { waterfall } = require('async');
+const { pathValidator } = require('@contentstack/cli-utilities');
 const { Parser } = require('../../../modules');
 const { ActionList } = require('../../../actions');
 const fs = require('fs');
@@ -129,14 +130,14 @@ class MigrationCommand extends Command {
   }
 
   async execSingleFile(filePath, mapInstance) {
-    // Resolved absolute path
-    const resolvedMigrationPath = resolve(filePath);
-    // User provided migration function
-    const migrationFunc = require(resolvedMigrationPath);
-
-    const parser = new Parser();
-
     try {
+      pathValidator.validatePath(filePath);
+      // Resolved absolute path
+      const resolvedMigrationPath = resolve(filePath);
+      // User provided migration function
+      const migrationFunc = require(resolvedMigrationPath);
+
+      const parser = new Parser();
       const migrationParser = await parser.getMigrationParser(migrationFunc);
       if (migrationParser.hasErrors) {
         errorHelper(migrationParser.hasErrors);

diff --git a/packages/contentstack-utilities/src/index.ts b/packages/contentstack-utilities/src/index.ts
@@ -5,6 +5,7 @@ export { default as CLIError } from './cli-error';
 export { default as messageHandler } from './message-handler';
 export { default as authHandler } from './auth-handler';
 export { default as configHandler } from './config-handler';
+export { default as pathValidator } from './path-validator';
 export {
   default as managementSDKClient,
   managementSDKInitiator,

diff --git a/packages/contentstack-utilities/src/path-validator.ts b/packages/contentstack-utilities/src/path-validator.ts
@@ -0,0 +1,10 @@
+class PathValidator {
+  validatePath(userInput) {
+    if (!/^[^.]+$/.test(userInput)) {
+      throw 'The path contains illegal character such as `.`. Please use absolute paths.';
+    }
+    return true;
+  }
+}
+
+export default new PathValidator();