fix(fetch): path traversal attack

gutenye · gutenye · commit bc90b2e78346 · 2025-01-03T10:43:44.000+08:00
diff --git a/src/fetch/__tests__/fetchUtils.test.ts b/src/fetch/__tests__/fetchUtils.test.ts
@@ -34,14 +34,28 @@ describe('request', () => {
   })
 })
 
-describe('createRequest', async () => {
-  const api = createRequest(BASE_URL)
-  expect(await api('/a')).toEqual([
-    `${BASE_URL}/a`,
-    {
-      headers: {
-        'Content-Type': 'application/json',
+describe('createRequest', () => {
+  it('works', async () => {
+    const api = createRequest(BASE_URL)
+    expect(await api('/a')).toEqual([
+      new URL(`${BASE_URL}/a`),
+      {
+        headers: {
+          'Content-Type': 'application/json',
+        },
+      },
+    ])
+  })
+
+  it('path traversal attack', async () => {
+    const api = createRequest(BASE_URL)
+    expect(await api('/../a')).toEqual([
+      new URL(`${BASE_URL}/a`),
+      {
+        headers: {
+          'Content-Type': 'application/json',
+        },
       },
-    },
-  ])
+    ])
+  })
 })
diff --git a/src/fetch/fetch.ts b/src/fetch/fetch.ts
@@ -37,7 +37,7 @@ export function createRequest(baseUrl: string) {
   ) {
     const newInput =
       typeof input === 'string' && input.startsWith('/')
-        ? `${baseUrl}${input}`
+        ? new URL(input, baseUrl)
         : input
     return request(newInput, options)
   }

Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,7 @@ export function createRequest(baseUrl: string) {`
`37`	`37`	`) {`
`38`	`38`	`const newInput =`
`39`	`39`	`typeof input === 'string' && input.startsWith('/')`
`40`		- ? `${baseUrl}${input}`
	`40`	`+ ? new URL(input, baseUrl)`
`41`	`41`	`: input`
`42`	`42`	`return request(newInput, options)`
`43`	`43`	`}`