fix: input used to read file should be sanitized (#3402)

## About the changes Following the recommendation to fix https://github.com/Unleash/unleash/security/code-scanning/2 and https://github.com/Unleash/unleash/security/code-scanning/3 The endpoint seems to be used for developing purposes only (to preview an email under development) but it's available in every Unleash installation and can potentially be exploited.
2025-02-09 00:18:00 +01:00 · 2023-04-03 14:17:44 +02:00 · 2023-04-03 14:17:44 +02:00 · 36f1125c25
commit 36f1125c25
parent 257db03f87
3 changed files with 22 additions and 1 deletions
--- a/package.json
+++ b/package.json
@ -132,6 +132,7 @@
    "pkginfo": "^0.4.1",
    "prom-client": "^14.0.0",
    "response-time": "^2.3.2",
+    "sanitize-filename": "^1.6.3",
    "semver": "^7.3.5",
    "serve-favicon": "^2.5.0",
    "stoppable": "^1.1.0",
--- a/src/lib/routes/admin-api/email.ts
+++ b/src/lib/routes/admin-api/email.ts
@ -5,6 +5,7 @@ import { IUnleashServices } from '../../types/services';
 import { Request, Response } from 'express';
 import Controller from '../controller';
 import { Logger } from '../../logger';
+import sanitize from 'sanitize-filename';

 export default class EmailController extends Controller {
    private emailService: EmailService;
@ -26,7 +27,7 @@ export default class EmailController extends Controller {
        const { template } = req.params;
        const ctx = req.query;
        const data = await this.emailService.compileTemplate(
-            template,
+            sanitize(template),
            TemplateFormat.HTML,
            ctx,
        );
--- a/yarn.lock
+++ b/yarn.lock
@ -6188,6 +6188,13 @@ safe-regex-test@^1.0.0:
  resolved "https://registry.yarnpkg.com/safer-buffer/-/safer-buffer-2.1.2.tgz#44fa161b0187b9549dd84bb91802f9bd8385cd6a"
  integrity sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==

+sanitize-filename@^1.6.3:
+  version "1.6.3"
+  resolved "https://registry.yarnpkg.com/sanitize-filename/-/sanitize-filename-1.6.3.tgz#755ebd752045931977e30b2025d340d7c9090378"
+  integrity sha512-y/52Mcy7aw3gRm7IrcGDFx/bCk4AhRh2eI9luHOQM86nZsqwiRkkq2GekHXBBD+SmPidc8i2PqtYZl+pWJ8Oeg==
+  dependencies:
+    truncate-utf8-bytes "^1.0.0"
+
 semver@^5.0.3, semver@^5.3.0:
  version "5.7.1"
  resolved "https://registry.yarnpkg.com/semver/-/semver-5.7.1.tgz#a954f931aeba508d307bbf069eff0c01c96116f7"
@ -6810,6 +6817,13 @@ trim-newlines@^4.0.2:
  resolved "https://registry.yarnpkg.com/trim-newlines/-/trim-newlines-4.0.2.tgz#d6aaaf6a0df1b4b536d183879a6b939489808c7c"
  integrity sha512-GJtWyq9InR/2HRiLZgpIKv+ufIKrVrvjQWEj7PxAXNc5dwbNJkqhAUoAGgzRmULAnoOM5EIpveYd3J2VeSAIew==

+truncate-utf8-bytes@^1.0.0:
+  version "1.0.2"
+  resolved "https://registry.yarnpkg.com/truncate-utf8-bytes/-/truncate-utf8-bytes-1.0.2.tgz#405923909592d56f78a5818434b0b78489ca5f2b"
+  integrity sha512-95Pu1QXQvruGEhv62XCMO3Mm90GscOCClvrIUwCM0PYOXK3kaF3l3sIHxx71ThJfcbM2O5Au6SO3AWCSEfW4mQ==
+  dependencies:
+    utf8-byte-length "^1.0.1"
+
 ts-algebra@^1.1.1:
  version "1.1.1"
  resolved "https://registry.yarnpkg.com/ts-algebra/-/ts-algebra-1.1.1.tgz#f7593cabcfd64f9d7211fa4f16ea9719e02461bc"
@ -7057,6 +7071,11 @@ use-deep-compare-effect@^1.8.1:
    "@babel/runtime" "^7.12.5"
    dequal "^2.0.2"

+utf8-byte-length@^1.0.1:
+  version "1.0.4"
+  resolved "https://registry.yarnpkg.com/utf8-byte-length/-/utf8-byte-length-1.0.4.tgz#f45f150c4c66eee968186505ab93fcbb8ad6bf61"
+  integrity sha512-4+wkEYLBbWxqTahEsWrhxepcoVOJ+1z5PGIjPZxRkytcdSUaNjIjBM7Xn8E+pdSuV7SzvWovBFA54FO0JSoqhA==
+
 util-deprecate@~1.0.1:
  version "1.0.2"
  resolved "https://registry.yarnpkg.com/util-deprecate/-/util-deprecate-1.0.2.tgz#450d4dc9fa70de732762fbd2d4a28981419a0ccf"