Sanitize dynamic path.resolve and path.join calls

package.json

@@ -46,6 +46,7 @@
     "handlebars": "^4.0.5",
     "htmlbars": "^0.14.16",
     "ini": "^1.3.4",
+    "is-path-inside": "^1.0.0",
     "is-url": "^1.2.1",
     "istextorbinary": "^1.0.2",
     "jshashes": "^1.0.5",

src/adapters/DropboxAdapter.js

@@ -15,6 +15,8 @@ var DropboxOAuth2Strategy = require('passport-dropbox-oauth2').Strategy;
 var LoginAdapter = require('./LoginAdapter');
 var StorageAdapter = require('./StorageAdapter');
 
+var resolveChildPath = require('../utils/resolveChildPath');
+
 var FileModel = require('../models/FileModel');
 
 var HttpError = require('../errors/HttpError');
@@ -291,7 +293,7 @@ DropboxStorageAdapter.prototype.readFile = function(filePath, siteAdapterConfig,
 		.connect(uid, accessToken)
 		.then(function(dropboxClient) {
 			var sitePath = siteAdapterConfig.path;
-			var fullPath = path.join(sitePath, filePath);
+			var fullPath = resolveChildPath(sitePath, filePath);
 			return dropboxClient.readFile(fullPath);
 		});
 };
@@ -305,7 +307,7 @@ DropboxStorageAdapter.prototype.retrieveDownloadLink = function(filePath, siteAd
 		.connect(uid, accessToken)
 		.then(function(dropboxClient) {
 			var sitePath = siteAdapterConfig.path;
-			var fullPath = path.join(sitePath, filePath);
+			var fullPath = resolveChildPath(sitePath, filePath);
 			return dropboxClient.generateDownloadLink(fullPath);
 		});
 };
@@ -319,7 +321,7 @@ DropboxStorageAdapter.prototype.retrievePreviewLink = function(filePath, siteAda
 		.connect(uid, accessToken)
 		.then(function(dropboxClient) {
 			var sitePath = siteAdapterConfig.path;
-			var fullPath = path.join(sitePath, filePath);
+			var fullPath = resolveChildPath(sitePath, filePath);
 			return dropboxClient.generatePreviewLink(fullPath);
 		});
 };
@@ -333,7 +335,7 @@ DropboxStorageAdapter.prototype.retrieveThumbnailLink = function(filePath, siteA
 		.connect(uid, accessToken)
 		.then(function(dropboxClient) {
 			var sitePath = siteAdapterConfig.path;
-			var fullPath = path.join(sitePath, filePath);
+			var fullPath = resolveChildPath(sitePath, filePath);
 			return dropboxClient.generateThumbnailLink(fullPath);
 		});
 };

src/adapters/LocalAdapter.js

@@ -16,6 +16,7 @@ var StorageAdapter = require('./StorageAdapter');
 
 var AuthenticationService = require('../services/AuthenticationService');
 
+var resolveChildPath = require('../utils/resolveChildPath');
 var loadFileMetadata = require('../utils/loadFileMetadata');
 
 var HttpError = require('../errors/HttpError');
@@ -190,8 +191,8 @@ LocalStorageAdapter.prototype.initSiteFolder = function(siteFiles, siteAdapterCo
 
 
 	function checkWhetherFileExists(filePath) {
-		var fullPath = path.join(sitesRoot, filePath);
 		return new Promise(function(resolve, reject) {
+			var fullPath = resolveChildPath(sitesRoot, filePath);
 			fs.stat(fullPath, function(error, stat) {
 				if (error && (error.code === 'ENOENT')) {
 					return resolve(false);
@@ -206,8 +207,8 @@ LocalStorageAdapter.prototype.initSiteFolder = function(siteFiles, siteAdapterCo
 	function copySiteFiles(sitePath, dirContents) {
 		var files = getFileListing(dirContents);
 		return Promise.resolve(mapSeries(files, function(fileMetadata) {
-			var filePath = path.join(sitePath, fileMetadata.path);
-			var fullPath = path.join(sitesRoot, filePath);
+			var filePath = resolveChildPath(sitePath, fileMetadata.path);
+			var fullPath = resolveChildPath(sitesRoot, filePath);
 			var fileContents = fileMetadata.contents;
 			return writeFile(fullPath, fileContents);
 		}).then(function(results) {
@@ -249,11 +250,17 @@ LocalStorageAdapter.prototype.initSiteFolder = function(siteFiles, siteAdapterCo
 LocalStorageAdapter.prototype.loadSiteContents = function(siteAdapterConfig, userAdapterConfig) {
 	var sitesRoot = this.sitesRoot;
 	var siteFolderPath = siteAdapterConfig.path;
-	var fullPath = path.join(sitesRoot, siteFolderPath);
-	return loadFileMetadata(fullPath, {
-		root: fullPath,
-		contents: true
+	return new Promise(function(resolve, reject) {
+		resolve(
+			resolveChildPath(sitesRoot, siteFolderPath)
+		);
 	})
+		.then(function(fullPath) {
+			return loadFileMetadata(fullPath, {
+				root: fullPath,
+				contents: true
+			});
+		})
 		.then(function(rootFolder) {
 			return {
 				root: rootFolder,
@@ -265,8 +272,8 @@ LocalStorageAdapter.prototype.loadSiteContents = function(siteAdapterConfig, use
 LocalStorageAdapter.prototype.readFile = function(filePath, siteAdapterConfig, userAdapterConfig) {
 	var sitesRoot = this.sitesRoot;
 	var sitePath = siteAdapterConfig.path;
-	var fullPath = path.join(sitesRoot, sitePath, filePath);
 	return new Promise(function(resolve, reject) {
+		var fullPath = resolveChildPath(sitesRoot, sitePath, filePath);
 		fs.readFile(fullPath, { encoding: 'utf8' }, function(error, data) {
 			if (error) { return reject(error); }
 			resolve(data);
@@ -294,11 +301,17 @@ LocalStorageAdapter.prototype.retrieveThumbnailLink = function(filePath, siteAda
 
 LocalStorageAdapter.prototype.retrieveFileMetadata = function(filePath, userAdapterConfig) {
 	var sitesRoot = this.sitesRoot;
-	var fullPath = path.resolve(sitesRoot, filePath);
-	return loadFileMetadata(fullPath, {
-		root: sitesRoot,
-		contents: false
+	return new Promise(function(resolve, reject) {
+		resolve(
+			resolveChildPath(sitesRoot, filePath)
+		);
 	})
+		.then(function(fullPath) {
+			return loadFileMetadata(fullPath, {
+				root: sitesRoot,
+				contents: false
+			});
+		})
 		.catch(function(error) {
 			if (error.code === 'ENOENT') { return null; }
 			throw error;

src/apps/router.js

@@ -50,7 +50,7 @@ module.exports = function(database, cache, config) {
 	var siteTemplatePath = config.templates.site;
 	var themesPath = config.themes.root;
 
-	var partialsPath = path.resolve(appTemplatesPath, '_partials');
+	var partialsPath = path.join(appTemplatesPath, '_partials');
 	var adminTemplatesPath = path.join(appTemplatesPath, 'admin');
 	var demoTemplatesPath = path.join(appTemplatesPath, 'demo');
 	var faqPath = path.join(appTemplatesPath, 'faq/faq.json');

src/utils/resolveChildPath.js

@@ -0,0 +1,14 @@
+'use strict';
+
+var path = require('path');
+var isPathInside = require('is-path-inside');
+
+var HttpError = require('../errors/HttpError');
+
+module.exports = function(from, to) {
+	var parentPath = path.resolve(from);
+	var childPaths = Array.prototype.slice.call(arguments, 1);
+	var fullPath = path.join.apply(path, [parentPath].concat(childPaths));
+	if (!isPathInside(fullPath, parentPath)) { throw new HttpError(403, 'Invalid path'); }
+	return fullPath;
+};

src/utils/resolveThemePaths.js

@@ -1,16 +1,16 @@
 'use strict';
 
-var path = require('path');
 var objectAssign = require('object-assign');
 
+var resolveChildPath = require('./resolveChildPath');
 var resolvePartials = require('./resolvePartials');
 
 module.exports = function(theme, themePath) {
 	return objectAssign({}, theme, {
 		templates: Object.keys(theme.templates).reduce(function(templates, templateId) {
 			var template = theme.templates[templateId];
-			var templatePath = path.resolve(themePath, template.filename);
-			var partialsRoot = (template.options && template.options.partials ? path.resolve(themePath, template.options.partials) : null);
+			var templatePath = resolveChildPath(themePath, template.filename);
+			var partialsRoot = (template.options && template.options.partials ? resolveChildPath(themePath, template.options.partials) : null);
 			var resolvedPartials = (partialsRoot ? resolvePartials(partialsRoot) : null);
 			var resolvedOptions = (resolvedPartials ? objectAssign({}, template.options, { partials: resolvedPartials }) : template.options);
 			var resolvedTemplate = objectAssign({}, template, {