(filePath: string)
| 67 | * @returns {boolean} True if path traversal detected, false otherwise |
| 68 | */ |
| 69 | export const isUnsafeFilePath = (filePath: string): boolean => { |
| 70 | if (process.env.PATH_TRAVERSAL_SAFETY === 'false') { |
| 71 | return false |
| 72 | } |
| 73 | |
| 74 | if (!filePath || typeof filePath !== 'string') { |
| 75 | return true |
| 76 | } |
| 77 | |
| 78 | // Check for path traversal patterns |
| 79 | const dangerousPatterns = [ |
| 80 | /\.\./, // Directory traversal (..) |
| 81 | /%2e%2e/i, // URL encoded .. |
| 82 | /%2f/i, // URL encoded / |
| 83 | /%5c/i, // URL encoded \ |
| 84 | /\0/, // Null bytes |
| 85 | // eslint-disable-next-line no-control-regex |
| 86 | /[\x00-\x1f]/, // Control characters |
| 87 | /^\/[^/]/, // Absolute Unix paths (starting with /) |
| 88 | /^[a-zA-Z]:\\/, // Absolute Windows paths (C:\) |
| 89 | /^\\\\[^\\]/, // UNC paths (\\server\) |
| 90 | /^\\\\\?\\/ // Extended-length paths (\\?\) |
| 91 | ] |
| 92 | |
| 93 | return dangerousPatterns.some((pattern) => pattern.test(filePath)) |
| 94 | } |
| 95 | |
| 96 | /** |
| 97 | * Validates filename format and security |
no test coverage detected