Potential fixes for 9 code scanning alerts

package.json

@@ -49,7 +49,8 @@
     "reflect-metadata": "^0.1.13",
     "rimraf": "^3.0.2",
     "rxjs": "^6.6.3",
-    "stream-buffers": "^3.0.2"
+    "stream-buffers": "^3.0.2",
+    "shell-quote": "^1.8.1"
   },
   "devDependencies": {
     "@mikro-orm/cli": "^4.3.3",

src/app.controller.ts

@@ -19,6 +19,7 @@ import {
   ApiTags,
 } from '@nestjs/swagger';
 import { spawn } from 'child_process';
+import * as shellQuote from 'shell-quote';
 import * as dotT from 'dot';
 import { parseXml } from 'libxmljs';
 import { AppConfig } from './app.config.api';
@@ -112,7 +113,8 @@ export class AppController {
 
     return new Promise((res, rej) => {
       try {
-        const [exec, ...args] = command.split(' ');
+        const parsedCommand = shellQuote.parse(command);
+        const [exec, ...args] = parsedCommand;
         const ps = spawn(exec, args);
 
         ps.stdout.on('data', (data: Buffer) => {

src/file/file.controller.ts

@@ -64,11 +64,17 @@ export class FileController {
     description: 'save raw content on server as a file',
   })
   @Put('raw')
-  async uploadFile(@Query('path') file, @Body() raw: Buffer): Promise<void> {
+  async uploadFile(@Query('path') filePath: string, @Body() raw: Buffer): Promise<void> {
+    const SAFE_ROOT = '/safe/root/directory';
     try {
       if (typeof raw === 'string' || Buffer.isBuffer(raw)) {
-        await fs.promises.access(path.dirname(file), W_OK);
-        await fs.promises.writeFile(file, raw);
+        const resolvedPath = path.resolve(SAFE_ROOT, filePath);
+        if (!resolvedPath.startsWith(SAFE_ROOT)) {
+          this.logger.error('Invalid file path');
+          return;
+        }
+        await fs.promises.access(path.dirname(resolvedPath), W_OK);
+        await fs.promises.writeFile(resolvedPath, raw);
       }
     } catch (err) {
       this.logger.error(err.message);

src/file/file.service.ts

@@ -10,13 +10,13 @@ export class FileService {
   private readonly logger = new Logger(FileService.name);
   private cloudProviders = new CloudProvidersMetaData();
 
+  private readonly ROOT_DIR = path.resolve(process.cwd(), 'safe_root_directory');
+
   async getFile(file: string): Promise<Stream> {
     this.logger.log(`Reading file: ${file}`);
 
     if (file.startsWith('/')) {
-      await fs.promises.access(file, R_OK);
-
-      return fs.createReadStream(file);
+      file = path.resolve(file);
     } else if (file.startsWith('http')) {
       const content = this.cloudProviders.get(file);
 
@@ -26,23 +26,32 @@ export class FileService {
         throw new Error(`no such file or directory, access '${file}'`);
       }
     } else {
-      file = path.resolve(process.cwd(), file);
-
-      await fs.promises.access(file, R_OK);
+      file = path.resolve(this.ROOT_DIR, file);
+    }
 
-      return fs.createReadStream(file);
+    if (!file.startsWith(this.ROOT_DIR)) {
+      throw new Error('Access to the specified file is not allowed');
     }
+
+    await fs.promises.access(file, R_OK);
+
+    return fs.createReadStream(file);
   }
 
   async deleteFile(file: string): Promise<boolean> {
     if (file.startsWith('/')) {
-      throw new Error('cannot delete file from this location');
+      file = path.resolve(file);
     } else if (file.startsWith('http')) {
       throw new Error('cannot delete file from this location');
     } else {
-      file = path.resolve(process.cwd(), file);
-      await fs.promises.unlink(file);
-      return true;
+      file = path.resolve(this.ROOT_DIR, file);
     }
+
+    if (!file.startsWith(this.ROOT_DIR)) {
+      throw new Error('Access to the specified file is not allowed');
+    }
+
+    await fs.promises.unlink(file);
+    return true;
   }
 }