fixed the path traversal issues

Author: cs-raj

packages/contentstack-variants/src/export/variant-entries.ts

@@ -1,6 +1,6 @@
 import { existsSync, mkdirSync } from 'fs';
 import { join, resolve } from 'path';
-import { FsUtility } from '@contentstack/cli-utilities';
+import { FsUtility, sanitizePath } from '@contentstack/cli-utilities';
 
 import { APIConfig, AdapterType, ExportConfig, LogType } from '../types';
 import VariantAdapter, { VariantHttpClient } from '../utils/variant-api-adapter';
@@ -25,7 +25,7 @@ export default class VariantEntries extends VariantAdapter<VariantHttpClient<Exp
       },
     };
     super(Object.assign(config, conf));
-    this.entriesDirPath = resolve(config.data, config.branchName || '', config.modules.entries.dirName);
+    this.entriesDirPath = resolve(sanitizePath(config.data), config.branchName || '', sanitizePath(config.modules.entries.dirName));
   }
 
   /**
@@ -39,7 +39,7 @@ export default class VariantEntries extends VariantAdapter<VariantHttpClient<Exp
 
     for (let index = 0; index < entries.length; index++) {
       const entry = entries[index];
-      const variantEntryBasePath = join(this.entriesDirPath, content_type_uid, locale, variantEntry.dirName, entry.uid);
+      const variantEntryBasePath = join(sanitizePath(this.entriesDirPath), sanitizePath(content_type_uid), sanitizePath(locale), sanitizePath(variantEntry.dirName), sanitizePath(entry.uid));
       const variantEntriesFs = new FsUtility({
         isArray: true,
         keepMetadata: false,

packages/contentstack-variants/src/import/experiences.ts

@@ -2,7 +2,7 @@ import { join, resolve } from 'path';
 import { existsSync } from 'fs';
 import values from 'lodash/values';
 import cloneDeep from 'lodash/cloneDeep';
-
+import { sanitizePath } from '@contentstack/cli-utilities';
 import { PersonalizationAdapter, fsUtil, lookUpAudiences, lookUpEvents } from '../utils';
 import { APIConfig, ImportConfig, ExperienceStruct, CreateExperienceInput, LogType } from '../types';
 
@@ -50,34 +50,34 @@ export default class Experiences extends PersonalizationAdapter<ImportConfig> {
       this.personalizationConfig.dirName,
       this.personalizationConfig.experiences.dirName,
     );
-    this.experiencesPath = join(this.experiencesDirPath, this.personalizationConfig.experiences.fileName);
+    this.experiencesPath = join(sanitizePath(this.experiencesDirPath), sanitizePath(this.personalizationConfig.experiences.fileName));
     this.experienceConfig = this.personalizationConfig.experiences;
     this.audienceConfig = this.personalizationConfig.audiences;
-    this.mapperDirPath = resolve(this.config.backupDir, 'mapper', this.personalizationConfig.dirName);
-    this.expMapperDirPath = resolve(this.mapperDirPath, this.experienceConfig.dirName);
-    this.experiencesUidMapperPath = resolve(this.expMapperDirPath, 'uid-mapping.json');
-    this.cmsVariantGroupPath = resolve(this.expMapperDirPath, 'cms-variant-groups.json');
-    this.cmsVariantPath = resolve(this.expMapperDirPath, 'cms-variants.json');
-    this.audiencesMapperPath = resolve(this.mapperDirPath, this.audienceConfig.dirName, 'uid-mapping.json');
-    this.eventsMapperPath = resolve(this.mapperDirPath, 'events', 'uid-mapping.json');
-    this.failedCmsExpPath = resolve(this.expMapperDirPath, 'failed-cms-experience.json');
-    this.failedCmsExpPath = resolve(this.expMapperDirPath, 'failed-cms-experience.json');
-    this.experienceCTsPath = resolve(this.experiencesDirPath, 'experiences-content-types.json');
+    this.mapperDirPath = resolve(sanitizePath(this.config.backupDir), 'mapper', sanitizePath(this.personalizationConfig.dirName));
+    this.expMapperDirPath = resolve(sanitizePath(this.mapperDirPath), sanitizePath(this.experienceConfig.dirName));
+    this.experiencesUidMapperPath = resolve(sanitizePath(this.expMapperDirPath), 'uid-mapping.json');
+    this.cmsVariantGroupPath = resolve(sanitizePath(this.expMapperDirPath), 'cms-variant-groups.json');
+    this.cmsVariantPath = resolve(sanitizePath(this.expMapperDirPath), 'cms-variants.json');
+    this.audiencesMapperPath = resolve(sanitizePath(this.mapperDirPath), sanitizePath(this.audienceConfig.dirName), 'uid-mapping.json');
+    this.eventsMapperPath = resolve(sanitizePath(this.mapperDirPath), 'events', 'uid-mapping.json');
+    this.failedCmsExpPath = resolve(sanitizePath(this.expMapperDirPath), 'failed-cms-experience.json');
+    this.failedCmsExpPath = resolve(sanitizePath(this.expMapperDirPath), 'failed-cms-experience.json');
+    this.experienceCTsPath = resolve(sanitizePath(this.experiencesDirPath), 'experiences-content-types.json');
     this.experienceVariantsIdsPath = resolve(
-      this.config.data,
-      this.personalizationConfig.dirName,
-      this.experienceConfig.dirName,
+      sanitizePath(this.config.data),
+      sanitizePath(this.personalizationConfig.dirName),
+      sanitizePath(this.experienceConfig.dirName),
       'experiences-variants-ids.json',
     );
-    this.variantUidMapperFilePath = resolve(this.expMapperDirPath, 'variants-uid-mapping.json');
+    this.variantUidMapperFilePath = resolve(sanitizePath(this.expMapperDirPath), 'variants-uid-mapping.json');
     this.experiencesUidMapper = {};
     this.cmsVariantGroups = {};
     this.cmsVariants = {};
     this.expThresholdTimer = this.experienceConfig?.thresholdTimer ?? 30000;
     this.expCheckIntervalDuration = this.experienceConfig?.checkIntervalDuration ?? 5000;
     this.maxValidateRetry = Math.round(this.expThresholdTimer / this.expCheckIntervalDuration);
     this.pendingVariantAndVariantGrpForExperience = [];
-    this.cTsSuccessPath = resolve(this.config.backupDir, 'mapper', 'content_types', 'success.json');
+    this.cTsSuccessPath = resolve(sanitizePath(this.config.backupDir), 'mapper', 'content_types', 'success.json');
     this.createdCTs = [];
   }
 

packages/contentstack-variants/src/import/project.ts

@@ -1,6 +1,6 @@
 import { join, resolve as pResolve } from 'path';
 import { existsSync, readFileSync } from 'fs';
-
+import { sanitizePath } from '@contentstack/cli-utilities';
 import { PersonalizationAdapter, askProjectName, fsUtil } from '../utils';
 import { APIConfig, CreateProjectInput, ImportConfig, LogType, ProjectStruct } from '../types';
 
@@ -14,9 +14,9 @@ export default class Project extends PersonalizationAdapter<ImportConfig> {
     };
     super(Object.assign(config, conf));
     this.projectMapperFolderPath = pResolve(
-      this.config.backupDir,
+      sanitizePath(this.config.backupDir),
       'mapper',
-      this.config.modules.personalization.dirName,
+      sanitizePath(this.config.modules.personalization.dirName),
       'projects',
     );
   }
@@ -28,7 +28,7 @@ export default class Project extends PersonalizationAdapter<ImportConfig> {
   async import() {
     const personalization = this.config.modules.personalization;
     const { dirName, fileName } = personalization.projects;
-    const projectPath = join(this.config.data, personalization.dirName, dirName, fileName);
+    const projectPath = join(sanitizePath(this.config.data), sanitizePath(personalization.dirName), sanitizePath(dirName), sanitizePath(fileName));
 
     if (existsSync(projectPath)) {
       const projects = JSON.parse(readFileSync(projectPath, 'utf8')) as CreateProjectInput[];
@@ -60,7 +60,7 @@ export default class Project extends PersonalizationAdapter<ImportConfig> {
         this.config.modules.personalization.importData = true;
 
         await fsUtil.makeDirectory(this.projectMapperFolderPath);
-        fsUtil.writeFile(pResolve(this.projectMapperFolderPath, 'projects.json'), projectRes);
+        fsUtil.writeFile(pResolve(sanitizePath(this.projectMapperFolderPath), 'projects.json'), projectRes);
         this.log(this.config, `Project Created Successfully: ${projectRes.uid}`, 'info');
       }
     } else {

packages/contentstack-variants/src/import/variant-entries.ts

@@ -6,7 +6,7 @@ import forEach from 'lodash/forEach';
 import indexOf from 'lodash/indexOf';
 import { join, resolve } from 'path';
 import { readFileSync, existsSync } from 'fs';
-import { FsUtility, HttpResponse } from '@contentstack/cli-utilities';
+import { FsUtility, HttpResponse, sanitizePath } from '@contentstack/cli-utilities';
 
 import VariantAdapter, { VariantHttpClient } from '../utils/variant-api-adapter';
 import {
@@ -53,12 +53,12 @@ export default class VariantEntries extends VariantAdapter<VariantHttpClient<Imp
         organization_uid: config.org_uid,
         'X-Project-Uid': config.modules.personalization.project_id,
       },
-    };
+    }; 
     super(Object.assign(omit(config, ['helpers']), conf));
-    this.entriesMapperPath = resolve(config.backupDir, config.branchName || '', 'mapper', 'entries');
+    this.entriesMapperPath = resolve(sanitizePath(config.backupDir), config.branchName || '', 'mapper', 'entries');
     this.personalizationConfig = this.config.modules.personalization;
-    this.entriesDirPath = resolve(config.backupDir, config.branchName || '', config.modules.entries.dirName);
-    this.failedVariantPath = resolve(this.entriesMapperPath, 'failed-entry-variants.json');
+    this.entriesDirPath = resolve(sanitizePath(config.backupDir), config.branchName || '', sanitizePath(config.modules.entries.dirName));
+    this.failedVariantPath = resolve(sanitizePath(this.entriesMapperPath), 'failed-entry-variants.json');
     this.failedVariantEntries = new Map();
   }
 
@@ -71,12 +71,12 @@ export default class VariantEntries extends VariantAdapter<VariantHttpClient<Imp
    * message indicating that no entries were found and return.
    */
   async import() {
-    const filePath = resolve(this.entriesMapperPath, 'data-for-variant-entry.json');
+    const filePath = resolve(sanitizePath(this.entriesMapperPath), 'data-for-variant-entry.json');
     const variantIdPath = resolve(
-      this.config.backupDir,
+      sanitizePath(this.config.backupDir),
       'mapper',
-      this.personalizationConfig.dirName,
-      this.personalizationConfig.experiences.dirName,
+      sanitizePath(this.personalizationConfig.dirName),
+      sanitizePath(this.personalizationConfig.experiences.dirName),
       'variants-uid-mapping.json',
     );
 
@@ -97,18 +97,18 @@ export default class VariantEntries extends VariantAdapter<VariantHttpClient<Imp
       return;
     }
 
-    const entriesUidMapperPath = join(this.entriesMapperPath, 'uid-mapping.json');
-    const assetUidMapperPath = resolve(this.config.backupDir, 'mapper', 'assets', 'uid-mapping.json');
-    const assetUrlMapperPath = resolve(this.config.backupDir, 'mapper', 'assets', 'url-mapping.json');
+    const entriesUidMapperPath = join(sanitizePath(this.entriesMapperPath), 'uid-mapping.json');
+    const assetUidMapperPath = resolve(sanitizePath(this.config.backupDir), 'mapper', 'assets', 'uid-mapping.json');
+    const assetUrlMapperPath = resolve(sanitizePath(this.config.backupDir), 'mapper', 'assets', 'url-mapping.json');
     const taxonomiesPath = resolve(
-      this.config.backupDir,
+      sanitizePath(this.config.backupDir),
       'mapper',
-      this.config.modules.taxonomies.dirName,
+      sanitizePath(this.config.modules.taxonomies.dirName),
       'terms',
       'success.json',
     );
-    const marketplaceAppMapperPath = resolve(this.config.backupDir, 'mapper', 'marketplace_apps', 'uid-mapping.json');
-    const envPath = resolve(this.config.backupDir, 'environments', 'environments.json');
+    const marketplaceAppMapperPath = resolve(sanitizePath(this.config.backupDir), 'mapper', 'marketplace_apps', 'uid-mapping.json');
+    const envPath = resolve(sanitizePath(this.config.backupDir), 'environments', 'environments.json');
     // NOTE Read and store list of variant IDs
     this.variantIdList = (fsUtil.readFile(variantIdPath, true) || {}) as Record<string, unknown>;
     if (isEmpty(this.variantIdList)) {
@@ -141,9 +141,9 @@ export default class VariantEntries extends VariantAdapter<VariantHttpClient<Imp
     const { content_type, locale, entry_uid } = entriesForVariant;
     const ctConfig = this.config.modules['content-types'];
     const contentType: ContentTypeStruct = JSON.parse(
-      readFileSync(resolve(this.config.backupDir, ctConfig.dirName, `${content_type}.json`), 'utf8'),
+      readFileSync(resolve(sanitizePath(this.config.backupDir), sanitizePath(ctConfig.dirName), `${content_type}.json`), 'utf8'),
     );
-    const variantEntryBasePath = join(this.entriesDirPath, content_type, locale, variantEntry.dirName, entry_uid);
+    const variantEntryBasePath = join(sanitizePath(this.entriesDirPath), sanitizePath(content_type), sanitizePath(locale), sanitizePath(variantEntry.dirName), sanitizePath(entry_uid));
     const fs = new FsUtility({ basePath: variantEntryBasePath });
 
     for (const _ in fs.indexFileContent) {
@@ -327,7 +327,7 @@ export default class VariantEntries extends VariantAdapter<VariantHttpClient<Imp
         },
         this.assetUidMapper,
         this.assetUrlMapper,
-        join(this.entriesDirPath, contentType.uid),
+        join(sanitizePath(this.entriesDirPath), sanitizePath(contentType.uid)),
         this.installedExtensions,
       );
     }

packages/contentstack-variants/src/utils/logger.ts

@@ -1,6 +1,7 @@
 import * as winston from 'winston';
 import * as path from 'path';
 import mkdirp from 'mkdirp';
+import { sanitizePath } from '@contentstack/cli-utilities';
 import { ExportConfig, ImportConfig } from '../types';
 
 const slice = Array.prototype.slice;
@@ -57,15 +58,15 @@ function init(_logPath: string) {
     mkdirp.sync(logsDir);
 
     successTransport = {
-      filename: path.join(logsDir, 'success.log'),
+      filename: path.join(sanitizePath(logsDir), 'success.log'),
       maxFiles: 20,
       maxsize: 1000000,
       tailable: true,
       level: 'info',
     };
 
     errorTransport = {
-      filename: path.join(logsDir, 'error.log'),
+      filename: path.join(sanitizePath(logsDir), 'error.log'),
       maxFiles: 20,
       maxsize: 1000000,
       tailable: true,