Skip to content

Commit 03c1156

Browse files
committed
refactor(radar): use path normalization for traversal check
Replace blocklist pattern matching with URL path normalization and allowlist validation. The URL constructor normalizes paths (resolves '..' and decodes percent-encoding), so we verify the final pathname stays within /client/v4/radar/ scope. This approach handles: - URL-encoded traversal attempts (%2e%2e, %2f) - Double encoding and other bypass techniques - Future unknown bypass patterns (allowlist vs blocklist)
1 parent f25ee40 commit 03c1156

File tree

1 file changed

+7
-5
lines changed

1 file changed

+7
-5
lines changed

apps/radar/src/tools/radar.tools.ts

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -127,13 +127,15 @@ async function fetchRadarApi(
127127
endpoint: string,
128128
params: Record<string, unknown> = {}
129129
): Promise<unknown> {
130-
// Defense-in-depth: Reject any path traversal attempts
131-
if (endpoint.includes('..') || endpoint.includes('//')) {
132-
throw new Error('Invalid endpoint path: path traversal sequences are not allowed')
133-
}
134-
135130
const url = new URL(`${RADAR_API_BASE}${endpoint}`)
136131

132+
// Defense-in-depth: Ensure the resolved path stays within Radar API scope
133+
// The URL constructor normalizes the path (resolves '..' and decodes percent-encoding),
134+
// so we check the final pathname to prevent path traversal attacks
135+
if (!url.pathname.startsWith('/client/v4/radar/')) {
136+
throw new Error('Invalid endpoint path: must be within the Radar API scope')
137+
}
138+
137139
for (const [key, value] of Object.entries(params)) {
138140
if (value === undefined || value === null) continue
139141

0 commit comments

Comments
 (0)