fix: prevent path traversal in config file handlers#1388
Conversation
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #1388 +/- ##
==========================================
+ Coverage 79.86% 79.89% +0.02%
==========================================
Files 153 153
Lines 7064 7067 +3
Branches 1550 1550
==========================================
+ Hits 5642 5646 +4
Misses 781 781
+ Partials 641 640 -1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
This could be a breaking change — absolute and CWD-relative paths are no longer accepted
The removed fallbacks (toLoad = f in YAML context, fs.existsSync(unixPath) branch in actions) were also the mechanism that allowed users to specify absolute paths or paths relative to the working directory. Users with existing configs like this will now get a hard error:
YAML — was valid before, now throws
pages:
- name: login
html: "/home/ci/scripts/login.html"
action.json — was valid before, now throws
{ "code": "./local/scripts/action.js" }
You are right @kushalshit27 Updated the error messages to guide users toward config-relative paths instead of surfacing a "path traversal" warning, which could be confusing for legitimate use cases. Will add a CHANGELOG entry to call this out explicitly. |
|
@ankita10119 , |
| '/** @type {PostLoginAction} */ module.exports = async (event, context) => { console.log(@@replace@@); return {}; };', | ||
| 'action-one.json': `{ | ||
| "name": "action-one", | ||
| "code": "./local/testData/directory/test1/actions/code.js", |
There was a problem hiding this comment.
2 set Unit test should be add:
- old path
- new path
There was a problem hiding this comment.
Addressed and updated
I understand the concern @kushalshit27 But making this backwards-compatible would conflict with actually fixing the security issue. Any approach that still falls through to the raw path (absolute or CWD-relative) for unrecognized references would allow a config file to reference files like The realistic attack vector is a CI pipeline pulling config from a compromised source where a malicious path silently exfiltrates sensitive files into Auth0. The hard error is necessary to close that I've added explicit test coverage for both the rejection case (path outside config root) and the happy path (relative path within config dir), and will document this as a breaking change in the CHANGELOG. |
3 participants
🔧 Changes
Fixes a path traversal vulnerability in config file handlers where user-supplied file paths in configuration (e.g.
code,customScripts) could reference files outside the config directory using sequences like../../.Changes:
DirectoryContext.loadFile: Resolves the final path and validates it stays within the config root before loading. Removes the previous fallback that silently tried the raw path if the relative path didn't exist, that fallback was the entry point for traversalyaml/index.ts: Same boundary check applied to the YAML context'sloadFile, throwing an explicit error if the resolved path escapes the config directorydatabases.ts: Added config root boundary check forcustomScriptsfile paths defined indatabase.jsonactions.ts/actionModules.ts: Removed thefs.existsSyncbranch that allowed absolute or root-relative paths to bypass the relative-path resolution, paths are now always resolved relative to the handler folder📚 References
🔬 Testing
./actions/code.js) instead of absolute paths, reflecting the new enforcement that file references must stay within the config directorypage.htmlinstead of an absolute path, and fixed file write ordering to match the new resolution logic../../etc/passwdas a script path) will now throw an explicit error rather than silently loading the file📝 Checklist