Skip to content

Missing path traversal validation on --output parameter #57

@tembo

Description

@tembo

Security Vulnerability Report

Severity: Medium

Vulnerability Type: Path Traversal

Affected Files and Lines

  • src/commands/blog.ts - Lines 514-525

Code Snippet

let outputDir: string;
if (options.output) {
  outputDir = options.output;
} else if (config.blog?.outputDir) {
  outputDir = config.blog.outputDir;
} else {
  // Try to find existing content directory, or use framework default
  const existingDir = findExistingContentDir(cwd, framework);
  outputDir = existingDir || frameworkConfig.draftsDir;
}

if (!existsSync(outputDir)) {
  mkdirSync(outputDir, { recursive: true });
}

Description

The --output parameter from CLI arguments is used directly to create directories without proper path traversal validation. If a user provides a path like ../../../, it could potentially write files outside the intended project directory.

Impact

  • Files could be written outside the intended project directory
  • Potential overwriting of system files if running with elevated privileges
  • Data could be placed in unexpected locations

Recommended Fix

Add path validation:

import { resolve } from 'path';

if (options.output) {
  const resolved = resolve(cwd, options.output);
  // Ensure the resolved path is within or descendent of cwd
  if (!resolved.startsWith(resolve(cwd))) {
    throw new Error(`Invalid output directory: path traversal detected`);
  }
  outputDir = resolved;
}

References

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions