Fix path traversal in save_account_details (SonarQube jssecurity:S2083)#62
Conversation
Pass an allowlisted set of locals to res.render instead of the raw request body, preventing a user-controlled 'layout' property from being resolved to a filesystem path by the hbs engine. Co-Authored-By: Joao Esteves <joao.esteves@cognition.ai>
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
| const safeProfile = { | ||
| firstname: validator.rtrim(profile.firstname), | ||
| lastname: validator.rtrim(profile.lastname), | ||
| email: profile.email, |
SonarQube remediation:
|
Summary
Remediates SonarQube BLOCKER issue
AZoM-zIBs8nSf3VywcRW(rulejssecurity:S2083, Path Traversal) atroutes/index.js:107.save_account_detailspassed the raw request body straight into the view engine:The
hbsengine (registered inapp.js) treats certain locals — notablylayout— as template file paths. Becauseprofileis the untrustedreq.body, an attacker could add alayoutproperty whose value escapes the views directory (e.g.../../etc/...), turning render locals into a user-controlled filesystem path.Fix
Pass an allowlist of only the expected, validated fields instead of the whole body, so no attacker-supplied property can reach the engine's path resolution:
views/account.hbsonly referencesfirstname,lastname,email,phone,country, so rendering behavior is unchanged.Scope is limited to this single sink; no unrelated code was touched.
node --check routes/index.jspasses. (npm testrunssnyk test, which needs Snyk auth, so it was skipped per task guidance.)Link to Devin session: https://app.devin.ai/sessions/e88cfeb34e794efb9f7e973443203788
Requested by: @joao-cognition
Devin Review