Bugfix/snyk 2023-08-18 (#6555)

cscheid · web-flow · commit 464285f8df00 · 2023-08-18T14:02:54.000-07:00
* ensure file normalization in exception handler

* escape string before using it in regexp

* escape exception
diff --git a/src/core/http.ts b/src/core/http.ts
@@ -5,7 +5,7 @@
  */
 
 import { existsSync } from "fs/mod.ts";
-import { basename, extname, join, posix } from "path/mod.ts";
+import { basename, extname, join, normalize, posix } from "path/mod.ts";
 import { error, info } from "log/mod.ts";
 
 import * as colors from "fmt/colors.ts";
@@ -150,6 +150,11 @@ export function httpFileRequestHandler(
         }
       }
     } catch (e) {
+      // it's possible for an exception to occur before we've normalized the path
+      // so we need to renormalize it here
+      if (fsPath) {
+        fsPath = normalize(fsPath);
+      }
       response = await serveFallback(
         req,
         e,
diff --git a/src/core/language.ts b/src/core/language.ts
@@ -48,6 +48,11 @@ const translationCache = cacheMap(
   },
 );
 
+// https://stackoverflow.com/a/6969486
+function escapeRegExp(str: string) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&"); // $& means the whole matched string
+}
+
 export async function readLanguageTranslations(
   translationFile: string,
   lang?: string,
@@ -66,7 +71,8 @@ export async function readLanguageTranslations(
 
   // determine additional variations to read
   const ext = extname(translationFile);
-  const [dir, stem] = dirAndStem(translationFile);
+  let [dir, stem] = dirAndStem(translationFile);
+  stem = escapeRegExp(stem);
   const variations: string[] = [];
   if (lang) {
     // enumerate variations dictated by this lang
diff --git a/src/resources/formats/revealjs/plugins/chalkboard/plugin.js b/src/resources/formats/revealjs/plugins/chalkboard/plugin.js
@@ -671,6 +671,15 @@ console.warn( "toggleNotesButton is deprecated, use customcontrols plugin instea
 			} );
 			a.href = window.URL.createObjectURL( blob );
 		} catch ( error ) {
+			// https://stackoverflow.com/a/6234804
+			// escape data for proper handling of quotes and line breaks
+			// in case malicious gets a chance to craft the exception message
+			error = String(error).replace(/&/g, "&amp;")
+					.replace(/</g, "&lt;")
+					.replace(/>/g, "&gt;")
+					.replace(/"/g, "&quot;")
+					.replace(/'/g, "&#039;");
+
 			a.innerHTML += ' (' + error + ')';
 		}
 		a.click();
