decentraland / events / 24403418397
64%

DEFAULT BRANCH: master
Ran
Jobs 1
Files 24
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 60.296% (+1.3%) from 59.018%
24403418397

push

github

web-flow 
fix: prevent path traversal in social routes file reader (#908)

* fix: prevent path traversal in social routes file reader

The readFile function in Social routes constructs a file path using
req.path, which is user-controlled. Because path.resolve() processes
".." segments, a crafted request path like /en/../../../etc/passwd
resolves outside the ./public directory, allowing reads from arbitrary
locations on the filesystem.

The fix resolves the public directory first, then validates that the
final file path starts with it before reading. Adds tests covering
both valid paths and traversal attempts.

* fix: address PR review feedback

- Use RequestError with BadRequest (400) instead of plain Error so
  path traversal attempts return a 400 rather than surfacing as 500s
  in server-error alerting.
- Remove the encoded-path test (%2F) — Express decodes percent-encoded
  slashes before populating req.path, so the test was exercising
  path.resolve treating %2F as a literal character, not the guard.
- Add boundary edge case test for req.path = '/..' which resolves to
  the parent of the public directory.

* fix: resolve lint errors in social routes tests

Remove unused imports (Response, EventModel, ScheduleModel), fix
import ordering, and collapse multi-line import to satisfy Prettier.

* fix: add symlink protection and sanitize originalUrl in metadata

Use fs.realpath() to resolve symlinks before the startsWith check,
closing the edge case where a symlink inside ./public/ points outside
the directory. The lexical path check alone cannot detect this.

HTML-escape req.originalUrl before passing it to replaceHelmetMetadata
in both injectEventMetadata and injectScheduleMetadata. The raw value
is user-controlled and ends up in OG meta tags, which is an XSS vector
if not encoded.

Adds tests for both: symlink escape via mocked realpath, and HTML
characters in originalUrl verified in the replaceHelmetMetadata call.

* fix: lexical traversal check before realpat... (continued)

143 of 193 branches covered (74.09%)

Branch coverage included in aggregate %.

17 of 17 new or added lines in 1 file covered. (100.0%)

2223 of 3731 relevant lines covered (59.58%)

2.23 hits per line

Jobs
ID Job ID Ran Files Coverage
1 24403418397.1 24
60.3
 GitHub Action Run
Source Files on build 24403418397