fix: adds failsafe checking for directory location and structure

Author: dcoric

package-lock.json

@@ -46,6 +46,7 @@
     "connect-mongo": "^5.1.0",
     "cors": "^2.8.5",
     "diff2html": "^3.4.33",
+    "env-paths": "^3.0.0",
     "express": "^4.18.2",
     "express-http-proxy": "^2.0.0",
     "express-rate-limit": "^7.1.5",

package.json

@@ -5,6 +5,33 @@ const { execFile } = require('child_process');
 const { promisify } = require('util');
 const execFileAsync = promisify(execFile);
 const EventEmitter = require('events');
+const envPaths = require('env-paths');
+
+// Add path validation helper
+function isValidPath(filePath) {
+  const resolvedPath = path.resolve(filePath);
+  const cwd = process.cwd();
+  return resolvedPath.startsWith(cwd);
+}
+
+// Add URL validation helper
+function isValidGitUrl(url) {
+  // Allow git://, https://, or ssh:// URLs
+  // Also allow scp-style URLs (user@host:path)
+  const validUrlPattern =
+    /^(git:\/\/|https:\/\/|ssh:\/\/|[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}:)/;
+  return typeof url === 'string' && validUrlPattern.test(url);
+}
+
+// Add branch name validation helper
+function isValidBranchName(branch) {
+  // Branch names can contain alphanumeric, -, _, /, and .
+  // Cannot start with - or .
+  // Cannot contain consecutive dots
+  // Cannot contain control characters or spaces
+  const validBranchPattern = /^[a-zA-Z0-9][a-zA-Z0-9\-_/.]*$/;
+  return typeof branch === 'string' && validBranchPattern.test(branch);
+}
 
 class ConfigLoader extends EventEmitter {
   constructor(initialConfig) {
@@ -20,6 +47,12 @@ class ConfigLoader extends EventEmitter {
       return;
     }
 
+    // Clear any existing interval before starting a new one
+    if (this.reloadTimer) {
+      clearInterval(this.reloadTimer);
+      this.reloadTimer = null;
+    }
+
     // Start periodic reload if interval is set
     if (configurationSources.reloadIntervalSeconds > 0) {
       this.reloadTimer = setInterval(
@@ -92,6 +125,9 @@ class ConfigLoader extends EventEmitter {
 
   async loadFromFile(source) {
     const configPath = path.resolve(process.cwd(), source.path);
+    if (!isValidPath(configPath)) {
+      throw new Error('Invalid configuration file path');
+    }
     const content = await fs.promises.readFile(configPath, 'utf8');
     return JSON.parse(content);
   }
@@ -108,24 +144,40 @@ class ConfigLoader extends EventEmitter {
 
   async loadFromGit(source) {
     // Validate inputs
-    if (!source.repository || typeof source.repository !== 'string') {
-      throw new Error('Invalid repository URL');
+    if (!source.repository || !isValidGitUrl(source.repository)) {
+      throw new Error('Invalid repository URL format');
     }
-    if (source.branch && typeof source.branch !== 'string') {
-      throw new Error('Invalid branch name');
+    if (source.branch && !isValidBranchName(source.branch)) {
+      throw new Error('Invalid branch name format');
     }
 
-    const tempDir = path.join(process.cwd(), '.git-config-cache');
+    // Use OS-specific cache directory
+    const paths = envPaths('git-proxy', { suffix: '' });
+    const tempDir = path.join(paths.cache, 'git-config-cache');
+    if (!isValidPath(tempDir)) {
+      throw new Error('Invalid temporary directory path');
+    }
     await fs.promises.mkdir(tempDir, { recursive: true });
 
     const repoDir = path.join(tempDir, Buffer.from(source.repository).toString('base64'));
+    if (!isValidPath(repoDir)) {
+      throw new Error('Invalid repository directory path');
+    }
 
     // Clone or pull repository
     if (!fs.existsSync(repoDir)) {
-      if (source.auth?.type === 'ssh') {
-        process.env.GIT_SSH_COMMAND = `ssh -i ${source.auth.privateKeyPath}`;
-      }
-      await execFileAsync('git', ['clone', source.repository, repoDir]);
+      const execOptions = {
+        cwd: process.cwd(),
+        env: {
+          ...process.env,
+          ...(source.auth?.type === 'ssh'
+            ? {
+                GIT_SSH_COMMAND: `ssh -i ${source.auth.privateKeyPath}`,
+              }
+            : {}),
+        },
+      };
+      await execFileAsync('git', ['clone', source.repository, repoDir], execOptions);
     } else {
       await execFileAsync('git', ['pull'], { cwd: repoDir });
     }
@@ -137,6 +189,9 @@ class ConfigLoader extends EventEmitter {
 
     // Read and parse config file
     const configPath = path.join(repoDir, source.path);
+    if (!isValidPath(configPath)) {
+      throw new Error('Invalid configuration file path in repository');
+    }
     const content = await fs.promises.readFile(configPath, 'utf8');
     return JSON.parse(content);
   }