wip

Author: kof

apps/builder/app/routes/cgi.asset.$.ts

@@ -2,21 +2,14 @@ import { createReadStream, existsSync } from "node:fs";
 import { join } from "node:path";
 import { createReadableStreamFromReadable } from "@remix-run/node";
 import type { LoaderFunctionArgs } from "@remix-run/server-runtime";
-import { getMimeTypeByFilename, isAllowedExtension } from "@webstudio-is/sdk";
+import {
+  getMimeTypeByFilename,
+  isAllowedExtension,
+  decodePathFragment,
+} from "@webstudio-is/sdk";
 import env from "~/env/env.server";
 import { fileUploadPath } from "~/shared/asset-client";
 
-const decodePathFragment = (fragment: string) => {
-  const decoded = decodeURIComponent(fragment);
-
-  // Prevent path traversal attacks
-  if (decoded.includes("..") || decoded.startsWith("/")) {
-    throw new Error("Invalid file path");
-  }
-
-  return decoded;
-};
-
 // This route serves generic assets without processing
 export const loader = async ({ request }: LoaderFunctionArgs) => {
   const basePath = `/cgi/asset/`;

apps/builder/app/routes/cgi.image.$.ts

@@ -4,6 +4,7 @@ import { z } from "zod";
 import { createReadableStreamFromReadable } from "@remix-run/node";
 import type { LoaderFunctionArgs } from "@remix-run/server-runtime";
 import { wsImageLoader } from "@webstudio-is/image";
+import { decodePathFragment } from "@webstudio-is/sdk";
 import env from "~/env/env.server";
 import { getImageNameAndType } from "~/builder/shared/assets/asset-utils";
 import { fileUploadPath } from "~/shared/asset-client";
@@ -29,10 +30,6 @@ const ImageParams = z.object({
   ]),
 });
 
-const decodePathFragment = (fragment: string) => {
-  return decodeURIComponent(fragment);
-};
-
 // this route used as proxy for images to cloudflare endpoint
 // https://developers.cloudflare.com/fundamentals/get-started/reference/cdn-cgi-endpoint/
 

apps/builder/app/routes/cgi.video.$.ts

@@ -3,13 +3,9 @@ import { join } from "node:path";
 import { createReadableStreamFromReadable } from "@remix-run/node";
 import type { LoaderFunctionArgs } from "@remix-run/server-runtime";
 import env from "~/env/env.server";
-import { getMimeTypeByFilename } from "@webstudio-is/sdk";
+import { getMimeTypeByFilename, decodePathFragment } from "@webstudio-is/sdk";
 import { fileUploadPath } from "~/shared/asset-client";
 
-const decodePathFragment = (fragment: string) => {
-  return decodeURIComponent(fragment);
-};
-
 // this route used as proxy for videos to cloudflare endpoint or serve local files
 // https://developers.cloudflare.com/fundamentals/get-started/reference/cdn-cgi-endpoint/
 

packages/sdk/src/assets.test.ts

@@ -13,6 +13,7 @@ import {
   FONT_EXTENSIONS,
   FILE_EXTENSIONS_BY_CATEGORY,
   detectAssetType,
+  decodePathFragment,
 } from "./assets";
 
 describe("allowed-file-types", () => {
@@ -368,4 +369,39 @@ describe("allowed-file-types", () => {
       expect(detectAssetType("my.doc.file.pdf")).toBe("file");
     });
   });
+
+  describe("decodePathFragment", () => {
+    test("decodes URI components correctly", () => {
+      expect(decodePathFragment("hello%20world.jpg")).toBe("hello world.jpg");
+      expect(decodePathFragment("image%2Btest.png")).toBe("image+test.png");
+      expect(decodePathFragment("file%40name.pdf")).toBe("[email protected]");
+    });
+
+    test("throws error on path traversal attempts with ..", () => {
+      expect(() => decodePathFragment("../secret.txt")).toThrow(
+        "Invalid file path"
+      );
+      expect(() => decodePathFragment("folder/../secret.txt")).toThrow(
+        "Invalid file path"
+      );
+      expect(() => decodePathFragment("..%2Fsecret.txt")).toThrow(
+        "Invalid file path"
+      );
+    });
+
+    test("throws error on absolute path attempts", () => {
+      expect(() => decodePathFragment("/etc/passwd")).toThrow(
+        "Invalid file path"
+      );
+      expect(() => decodePathFragment("%2Fetc%2Fpasswd")).toThrow(
+        "Invalid file path"
+      );
+    });
+
+    test("allows normal filenames and paths", () => {
+      expect(decodePathFragment("image.jpg")).toBe("image.jpg");
+      expect(decodePathFragment("folder/image.jpg")).toBe("folder/image.jpg");
+      expect(decodePathFragment("my-file_123.png")).toBe("my-file_123.png");
+    });
+  });
 });

packages/sdk/src/assets.ts

@@ -289,6 +289,21 @@ export const detectAssetType = (
   return "file";
 };
 
+/**
+ * Safely decode a URL path fragment, preventing path traversal attacks
+ * @throws Error if the decoded path contains path traversal attempts
+ */
+export const decodePathFragment = (fragment: string): string => {
+  const decoded = decodeURIComponent(fragment);
+
+  // Prevent path traversal attacks
+  if (decoded.includes("..") || decoded.startsWith("/")) {
+    throw new Error("Invalid file path");
+  }
+
+  return decoded;
+};
+
 /**
  * Generates the appropriate URL for an asset based on its type and format.
  * - Images use /cgi/image/ with format=raw

packages/sdk/src/expression.ts

@@ -49,7 +49,6 @@ export const allowedArrayMethods = new Set([
   "includes",
   "join",
   "slice",
-  "find",
   "filter",
 ]);
 
@@ -96,43 +95,8 @@ export const lintExpression = ({
       sourceType: "module",
     });
 
-    // Track arrow functions that are used as callbacks for safe array methods
-    type ArrowFunctionNode = Node & { type: "ArrowFunctionExpression" };
-    const allowedArrowFunctions = new Set<ArrowFunctionNode>();
-    // Track arrow function parameters to skip validation
-    const arrowFunctionParams = new Set<string>();
-
-    // First pass: identify arrow functions used in safe contexts
-    simple(root, {
-      CallExpression(node) {
-        if (node.callee.type === "MemberExpression") {
-          if (node.callee.property.type === "Identifier") {
-            const methodName = node.callee.property.name;
-            if (allowedArrayMethods.has(methodName)) {
-              // Mark arrow function arguments as allowed
-              for (const arg of node.arguments) {
-                if (arg.type === "ArrowFunctionExpression") {
-                  allowedArrowFunctions.add(arg);
-                  // Collect parameter names
-                  for (const param of arg.params) {
-                    if (param.type === "Identifier") {
-                      arrowFunctionParams.add(param.name);
-                    }
-                  }
-                }
-              }
-            }
-          }
-        }
-      },
-    });
-
     simple(root, {
       Identifier(node) {
-        // Skip validation for arrow function parameters
-        if (arrowFunctionParams.has(node.name)) {
-          return;
-        }
         if (availableVariables.has(node.name) === false) {
           addMessage(
             `"${node.name}" is not defined in the scope`,
@@ -196,12 +160,7 @@ export const lintExpression = ({
       },
       NewExpression: addMessage("Classes are not supported"),
       SequenceExpression: addMessage(`Only single expression is supported`),
-      ArrowFunctionExpression(node) {
-        // Allow arrow functions only when used as callbacks for safe array methods
-        if (!allowedArrowFunctions.has(node)) {
-          addMessage("Functions are not supported")(node);
-        }
-      },
+      ArrowFunctionExpression: addMessage("Functions are not supported"),
       TaggedTemplateExpression: addMessage("Tagged template is not supported"),
       ClassExpression: addMessage("Classes are not supported"),
       MetaProperty: addMessage("Imports are not supported"),