Use safeDecodeURIComponent

Author: timokoessler

library/vulnerabilities/path-traversal/checkUrlPathForPathTraversal.test.ts

@@ -51,6 +51,18 @@ t.test("it does not detect", async (t) => {
     ).found,
     false
   );
+  t.equal(
+    checkUrlPathForPathTraversal("https://example.com/path/to/resource/%C3%A4")
+      .found,
+    false
+  );
+
+  // Invalid url encoded characters
+  t.equal(
+    checkUrlPathForPathTraversal("https://example.com/path/to/resource/%a")
+      .found,
+    false
+  );
 });
 
 t.test("only detect in path segments", async (t) => {

library/vulnerabilities/path-traversal/checkUrlPathForPathTraversal.ts

@@ -1,4 +1,5 @@
 import { getRawUrlPath } from "../../helpers/getRawUrlPath";
+import { safeDecodeURIComponent } from "../../helpers/safeDecodeURIComponent";
 import { normalizeLikeURLConstructor } from "./normalizeLikeURLConstructor";
 
 const forbiddenPattern = /(?:^|[\\/])\.\.(?:[\\/]|$)/;
@@ -43,9 +44,15 @@ export function checkUrlPathForPathTraversal(url: string | undefined): {
   }
 
   // Also check encoded paths
-  const decodedPath = normalizeLikeURLConstructor(decodeURIComponent(rawPath));
+  const decodedPath = safeDecodeURIComponent(rawPath);
+  if (!decodedPath) {
+    return {
+      found: false,
+    };
+  }
 
-  if (forbiddenPattern.test(decodedPath)) {
+  const normalizedDecodedPath = normalizeLikeURLConstructor(decodedPath);
+  if (forbiddenPattern.test(normalizedDecodedPath)) {
     return {
       found: true,
       payload: rawPath,