Merge pull request #754 from contentstack/bugfix/audit-log

bug resolved

Author: sayalijoshi27

.talismanrc

@@ -81,6 +81,9 @@ fileignoreconfig:
     checksum: 1fec859f4d41e1acb5cdab8fdfba7c1978532a7f98f4fd26674153755f926d64
   - filename: ui/package-lock.json
     checksum: 4abcc89c75b7ddca8128fd72faafbb9b159f02611d96325bcd355283074ce287
+  - filename: ui/src/components/ContentMapper/index.scss
+    checksum: 46f8fde3b745feba40943f00d8d52714d0f320202c86b62f6c5ded73c2dbcf4c
+  
 
 fileignoreconfig:
 - filename: api/src/services/migration.service.ts

api/src/services/migration.service.ts

@@ -34,7 +34,7 @@ import fsPromises from 'fs/promises';
 import { matchesSearchText } from '../utils/search.util.js';
 import { taxonomyService } from './taxonomy.service.js';
 import { globalFieldServie } from './globalField.service.js';
-// import { getSafePath } from "../utils/sanitize-path.utils.js";
+import { getSafePath } from '../utils/sanitize-path.utils.js';
 
 /**
  * Creates a test stack.
@@ -727,7 +727,16 @@ const getAuditData = async (req: Request): Promise<any> => {
         }
       };
       if (entriesSelectFieldExists) {
-        const fileContent = await fsPromises?.readFile(entriesSelectFieldPath, 'utf8');
+        const safeEntriesSelectFieldPath = getSafePath(entriesSelectFieldPath);
+        // Ensure the sanitized path is within the auditLogPath directory
+        if (!safeEntriesSelectFieldPath.startsWith(auditLogPath)) {
+          throw new BadRequestError('Access to this file is not allowed.');
+        }
+        // Additional path traversal prevention
+        if (!safeEntriesSelectFieldPath.startsWith(auditLogPath) || safeEntriesSelectFieldPath.includes('..')) {
+          throw new BadRequestError('Access to this file is not allowed.');
+        }
+        const fileContent = await fsPromises?.readFile(safeEntriesSelectFieldPath, 'utf8');
         try {
           if (typeof fileContent === 'string') {
             const parsed = JSON?.parse(fileContent);
@@ -739,7 +748,12 @@ const getAuditData = async (req: Request): Promise<any> => {
         }
       }
       if (entriesExists) {
-        const fileContent = await fsPromises?.readFile(entriesPath, 'utf8');
+        const safeEntriesPath = getSafePath(entriesPath);
+        // Ensure the sanitized path is within the auditLogPath directory
+        if (!safeEntriesPath.startsWith(auditLogPath)) {
+          throw new BadRequestError('Access to this file is not allowed.');
+        }
+        const fileContent = await fsPromises?.readFile(safeEntriesPath, 'utf8');
         try {
           if (typeof fileContent === 'string') {
             const parsed = JSON?.parse(fileContent);
@@ -753,7 +767,19 @@ const getAuditData = async (req: Request): Promise<any> => {
       fileData = combinedData;
     } else {
       if (fs?.existsSync(filePath)) {
-        const fileContent = await fsPromises?.readFile(filePath, 'utf8');
+        const safeFilePath = getSafePath(filePath);
+        // Ensure the sanitized path is within the auditLogPath directory
+        if (!safeFilePath.startsWith(auditLogPath)) {
+          throw new BadRequestError('Access to this file is not allowed.');
+        }
+        // Prevent path traversal by checking for '..' and ensuring the path is within auditLogPath
+        if (
+          safeFilePath.includes('..') ||
+          !safeFilePath.startsWith(auditLogPath)
+        ) {
+          throw new BadRequestError('Path traversal detected or access to this file is not allowed.');
+        }
+        const fileContent = await fsPromises?.readFile(safeFilePath, 'utf8');
         try {
           if (typeof fileContent === 'string') {
             fileData = JSON?.parse(fileContent);

ui/package-lock.json

@@ -1,63 +1,72 @@
 .select-container {
-    display: flex;
+  display: flex;
 
-    .select-wrapper {
-        display: flex;
-        margin-left: 1rem;
-    }
+  .select-wrapper {
+    display: flex;
+    margin-left: 1rem;
+  }
 }
 
 .Search-input-show {
-    margin-bottom: 4px;
+  margin-bottom: 4px;
 }
 
-.PageLayout--primary .PageLayout__leftSidebar+.PageLayout__content .PageLayout__body {
-    width: calc(100% - 15rem);
+.PageLayout--primary .PageLayout__leftSidebar + .PageLayout__content .PageLayout__body {
+  width: calc(100% - 15rem);
 }
 
 .Table__head__row {
-    height: 100% !important;
+  height: 100% !important;
 }
 
 .PageLayout__body {
-    .table-height {
-        .Table {
-            height: calc(100vh - 12.75rem) !important;
-        }
-
-        .Table.TableWithPaginated {
-            .Table__body {
-                height: calc(100vh - 18.5rem) !important;
-            }
-        }
+  .table-height {
+    .Table {
+      height: calc(100vh - 12.75rem) !important;
+    }
+
+    .Table.TableWithPaginated {
+      .Table__body {
+        height: calc(100vh - 18.5rem) !important;
+      }
     }
+  }
 }
 
 .custom-empty-state {
-    .Icon--original {
-        width: 207px !important;
-        height: auto !important;
-        max-width: 100%;
-        display: block;
-        margin: 0 auto;
-    }
+  .Icon--original {
+    width: 207px !important;
+    height: auto !important;
+    max-width: 100%;
+    display: block;
+    margin: 0 auto;
+  }
 }
 
 .Table__head__column {
-    align-items: center;
-    display: flex;
-    justify-content: space-between;
+  align-items: center;
+  display: flex;
+  justify-content: space-between;
 }
 
 .TablePagination {
-    position: sticky;
-    bottom: 0;
+  position: sticky;
+  bottom: 0;
 }
 
 .tree-struct {
-    width: 300px !important;
+  width: 300px !important;
 }
 
 .missing-val {
-    width: 270px !important;
-}
+  width: 270px !important;
+}
+
+.tooltip-text {
+    max-width: 220px;
+    white-space: nowrap;
+    overflow: hidden;
+    text-overflow: ellipsis;
+    display: inline-block;
+    vertical-align: middle;
+  }