Skip to content

🛡️ Sentinel: [CRITICAL] Fix path traversal in TypeScript module resolution #266

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
bashandbone wants to merge 1 commit into
base: main
Choose a base branch
from
Open

🛡️ Sentinel: [CRITICAL] Fix path traversal in TypeScript module resolution #266

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
## 2024-05-24 - [Path Traversal Vulnerability in Manual Path Resolution]
**Vulnerability:** Path traversal vulnerability during manual path normalization.
Comment on lines +1 to +2
**Learning:** `Component::ParentDir` was handled by blindly popping the last path component when canonicalization failed. This could cause it to mistakenly pop root (`/`) or prefix components, allowing traversal out of safe boundaries or stripping absolute path roots incorrectly. It also failed to correctly preserve `..` elements when traversing up from `..`.
**Prevention:** Always explicitly match against previous components during manual path normalization. Prevent `Component::ParentDir` from popping `Component::RootDir` or `Component::Prefix`. If the components list is empty or ends in `Component::ParentDir`, the new `Component::ParentDir` must be pushed to properly handle paths that traverse beyond the starting directory.
16 changes: 15 additions & 1 deletion crates/flow/src/incremental/extractors/typescript.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -808,7 +808,21 @@ impl TypeScriptDependencyExtractor {
for component in resolved.components() {
match component {
std::path::Component::ParentDir => {
components.pop();
if let Some(last) = components.last() {
match last {
std::path::Component::RootDir | std::path::Component::Prefix(_) => {
// Path traversal block: do not pop root or prefix
}
std::path::Component::ParentDir => {
components.push(component);
}
_ => {
components.pop();
}
}
} else {
components.push(component);
}
Comment on lines 810 to +825
}
std::path::Component::CurDir => {}
_ => components.push(component),
Expand Down