Fix multiple control chars

timokoessler · timokoessler · commit 8528f1b3b014 · 2025-04-22T14:09:30.000+02:00
diff --git a/library/sinks/FileSystem.test.ts b/library/sinks/FileSystem.test.ts
@@ -249,6 +249,34 @@ t.test("it works", async (t) => {
     }
   );
 
+  runWithContext(
+    {
+      remoteAddress: "::1",
+      method: "POST",
+      url: "http://localhost:4000",
+      query: {
+        q: ".\t\t./etc/passwd",
+      },
+      headers: {},
+      body: {},
+      cookies: {},
+      routeParams: {},
+      source: "express",
+      route: "/posts/:id",
+    },
+    () => {
+      throws(
+        () =>
+          rename(
+            new URL("file:///.\t\t./etc/passwd"),
+            "../test123.txt",
+            () => {}
+          ),
+        "Zen has blocked a path traversal attack: fs.rename(...) originating from query.q"
+      );
+    }
+  );
+
   // Ignores malformed URLs
   runWithContext(
     { ...unsafeContext, body: { file: { matches: "../%" } } },
diff --git a/library/vulnerabilities/path-traversal/containsUnsafePathParts.test.ts b/library/vulnerabilities/path-traversal/containsUnsafePathParts.test.ts
@@ -40,6 +40,8 @@ t.test("it detects dangerous path parts for URLs", async () => {
   t.same(containsUnsafePathPartsUrl("file:///.\t./test.txt"), true);
   t.same(containsUnsafePathPartsUrl("file://.\n./test.txt"), true);
   t.same(containsUnsafePathPartsUrl("file://.\r./test.txt"), true);
+  t.same(containsUnsafePathPartsUrl("file:///.\t\t./test.txt"), true);
+  t.same(containsUnsafePathPartsUrl("file:///.\t\n./test.txt"), true);
 });
 
 t.test("it only removes some chars from the URL", async () => {
@@ -51,4 +53,6 @@ t.test("it only removes some chars from the URL", async () => {
   t.same(fileURLToPath("file:///.\v./test.txt"), "/.\v./test.txt");
   t.same(fileURLToPath("file:///.\f./test.txt"), "/.\f./test.txt");
   t.same(fileURLToPath("file:///.\b./test.txt"), "/.\b./test.txt");
+  t.same(fileURLToPath("file:///.\t\t./test.txt"), "/test.txt");
+  t.same(fileURLToPath("file:///.\t\n./test.txt"), "/test.txt");
 });
diff --git a/library/vulnerabilities/path-traversal/containsUnsafePathParts.ts b/library/vulnerabilities/path-traversal/containsUnsafePathParts.ts
@@ -20,5 +20,5 @@ export function containsUnsafePathParts(filePath: string) {
  * See https://url.spec.whatwg.org/#url-parsing
  */
 export function containsUnsafePathPartsUrl(filePath: string) {
-  return /(?:\.(?:\t|\n|\r)?){2}(?:\/|\\)/.test(filePath);
+  return /(?:\.(?:\t|\n|\r)*){2}(?:\/|\\)/.test(filePath);
 }

Original file line number	Diff line number	Diff line change
`@@ -20,5 +20,5 @@ export function containsUnsafePathParts(filePath: string) {`
`20`	`20`	`* See https://url.spec.whatwg.org/#url-parsing`
`21`	`21`	`*/`
`22`	`22`	`export function containsUnsafePathPartsUrl(filePath: string) {`
`23`		`- return /(?:\.(?:\t\|\n\|\r)?){2}(?:\/\|\\)/.test(filePath);`
	`23`	`+ return /(?:\.(?:\t\|\n\|\r)*){2}(?:\/\|\\)/.test(filePath);`
`24`	`24`	`}`