fix: Fix path traversal vulnerability

Finastra · Feb 25, 2022 · c3e4c56 · c3e4c56
1 parent a61ab5a
commit c3e4c56
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/src/helpers/inlineSVG.helper.ts b/src/helpers/inlineSVG.helper.ts
@@ -2,6 +2,15 @@ import { readFileSync } from 'fs';
 import { join } from 'path';
 
 export default function inlineSVG(iconName) {
-  const path = join(__dirname, `../assets/img/${iconName}.svg`);
+  const path = join(__dirname, `../assets/img/${iconNameWhitelist(iconName)}.svg`);
   return readFileSync(path, 'utf8');
 }
+
+function iconNameWhitelist(iconName) {
+  const fallbackIconName = 'warning'
+  const whitelist = ['warning', 'exit'];
+  if (!whitelist.includes(iconName)) {
+    return fallbackIconName;
+  }
+  return iconName;
+}