fix: prevent path traversal for API endpoint URL (#1950)

* fix: prevent path traversal for API endpoint URL

* fix: switch to check for existence of slashes

Author: dcshzj

src/services/PageService.jsx

@@ -1,3 +1,5 @@
+const { isSafePath } = require("../utils/misc")
+
 export class PageService {
   constructor({ apiClient }) {
     this.apiClient = apiClient
@@ -12,6 +14,22 @@ export class PageService {
     resourceCategoryName,
     fileName,
   }) {
+    // Check the input parameters to ensure the paths are safe
+    const paramsToCheck = [
+      siteName,
+      collectionName,
+      subCollectionName,
+      resourceRoomName,
+      resourceCategoryName,
+      fileName,
+    ]
+
+    paramsToCheck.forEach((param) => {
+      if (param && !isSafePath(param)) {
+        throw new Error(`Unsafe path detected in parameter: ${param}`)
+      }
+    })
+
     let endpoint = `/sites/${siteName}`
     if (collectionName) {
       endpoint += `/collections/${collectionName}`

src/utils/misc.ts

@@ -7,3 +7,12 @@ export const isLinkInternal = (url: string) => {
   tempLink.href = url
   return tempLink.hostname === window.location.hostname
 }
+
+// Util method to check if a URL path is safe
+export const isSafePath = (path: string): boolean => {
+  if (path.indexOf("\\") !== -1) {
+    return false
+  }
+
+  return true
+}