resolved copilot suggestion issue

Author: sauravraw

api/src/services/runCli.service.ts

@@ -18,50 +18,6 @@ interface TestStack {
 }
 import utilitiesHandler from '@contentstack/cli-utilities';
 
-/**
- * Adds a custom message to the CLI logs file
- * @param loggerPath - Path to the log file
- * @param level - Log level (default: 'info')
- * @param message - Message to be logged
- */
-const addCustomMessageInCliLogs = async (
-  loggerPath: string,
-  level: string = 'info',
-  message: string
-) => {
-  try {
-    const logEntry = {
-      level,
-      message,
-      timestamp: new Date().toISOString(),
-    };
-
-    // Create directory if it doesn't exist
-    const logDir = path.dirname(loggerPath);
-    await fs.promises.mkdir(logDir, { recursive: true });
-
-    // Append log with proper formatting
-    await fs.promises.appendFile(
-      loggerPath,
-      JSON.stringify(logEntry, null, 2) + '\n'
-    );
-
-    // Also log to console based on level
-    switch (level) {
-      case 'error':
-        console.error(message);
-        break;
-      case 'warn':
-        console.warn(message);
-        break;
-      default:
-        console.info(message);
-    }
-  } catch (error) {
-    console.error('Error writing to log file:', error);
-  }
-};
-
 /**
  * Determines log level based on message content without removing ANSI codes
  */
@@ -190,11 +146,6 @@ export const runCli = async (
   transformePath: string
 ) => {
   try {
-    // Set appropriate completion message based on migration type
-    const message = isTest
-      ? 'Test Migration Process Completed'
-      : 'Migration Process Completed';
-
     // Format region string for CLI compatibility
     const regionPresent =
       CS_REGIONS.find((item) => item === rg) ?? 'NA'.replace(/_/g, '-');

api/src/utils/custom-logger.utils.ts

@@ -5,12 +5,33 @@ import logger from './logger.js';
 import { getSafePath } from './sanitize-path.utils.js';
 
 // Utility function to safely join and resolve paths
-const safeJoin = (basePath: string, ...paths: string[]) => {
-  const resolvedPath = getSafePath(path.resolve(basePath, ...paths)); // Resolve absolute path
-  if (!resolvedPath.startsWith(basePath)) {
-    throw new Error('Invalid file path');
+/**
+ * Safely joins and resolves paths to prevent directory traversal attacks
+ * @param basePath - Base directory that should contain the result
+ * @param paths - Path segments to join with the base path
+ * @returns A safe absolute path guaranteed to be within basePath
+ */
+const safeJoin = (basePath: string, ...paths: string[]): string => {
+  // Get normalized absolute base path
+  const absoluteBasePath = path.resolve(basePath);
+
+  // Get sanitized absolute resolved path
+  const resolvedPath = getSafePath(path.resolve(basePath, ...paths));
+
+  // Use path.relative to check containment - this is more secure
+  const relativePath = path.relative(absoluteBasePath, resolvedPath);
+
+  // Check if path attempts to traverse up/outside the base directory
+  if (
+    relativePath === '' ||
+    relativePath === '.' ||
+    (!relativePath.startsWith('..') && !path.isAbsolute(relativePath))
+  ) {
+    return resolvedPath; // Path is safely within base directory
   }
-  return resolvedPath;
+
+  // Path is trying to escape - reject it
+  throw new Error('Invalid file path: Directory traversal attempt detected');
 };
 
 const fileExists = async (path: string): Promise<boolean> => {

api/src/utils/sanitize-path.utils.ts

@@ -1,4 +1,4 @@
-import path from "path";
+import path from 'path';
 
 /**
  * Sanitizes a filename by removing unsafe characters.
@@ -8,7 +8,7 @@ import path from "path";
  * @returns A safe, sanitized filename.
  */
 const sanitizeFilename = (filename: string): string => {
-  return path.basename(filename).replace(/[^a-zA-Z0-9_.\s-]/g, "");
+  return path.basename(filename).replace(/[^a-zA-Z0-9_.\s-]/g, '');
 };
 
 /**
@@ -22,7 +22,7 @@ const sanitizeFilename = (filename: string): string => {
 export const getSafePath = (inputPath: string, baseDir?: string): string => {
   try {
     // Resolve the absolute path (handles path.join(), path.resolve(), and full paths)
-    const resolvedPath = path.resolve(baseDir || "", inputPath);
+    const resolvedPath = path.resolve(baseDir || '', inputPath);
 
     // Ensure only the last segment (filename) is sanitized
     const dirPath = path.dirname(resolvedPath);
@@ -34,15 +34,28 @@ export const getSafePath = (inputPath: string, baseDir?: string): string => {
     // Ensure the path remains inside baseDir (if provided)
     if (baseDir) {
       const safeBaseDir = path.resolve(baseDir);
-      if (!safePath.startsWith(safeBaseDir)) {
-        console.warn("Invalid file path detected, using default safe path.");
-        return path.join(safeBaseDir, "default.log");
+
+      // Use path.relative to securely check path containment
+      const relativePath = path.relative(safeBaseDir, safePath);
+
+      // If relativePath starts with '..' or is absolute, it's trying to escape
+      if (
+        relativePath === '' ||
+        relativePath === '.' ||
+        (!relativePath.startsWith('..') && !path.isAbsolute(relativePath))
+      ) {
+        // Path is safely within the base directory
+        return safePath;
+      } else {
+        // Path is trying to escape the base directory
+        console.warn('Invalid file path detected, using default safe path.');
+        return path.join(safeBaseDir, 'default.log');
       }
     }
 
     return safePath;
   } catch (error) {
-    console.error("Error generating safe path:", error);
-    return baseDir ? path.join(baseDir, "default.log") : "default.log";
+    console.error('Error generating safe path:', error);
+    return baseDir ? path.join(baseDir, 'default.log') : 'default.log';
   }
 };