fix(code-editor): allow folder in file names (#5620)

botpress · Nov 1, 2021 · 0bc6b1a · 0bc6b1a
1 parent 68eda02
commit 0bc6b1a
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 11 deletions.
diff --git a/modules/code-editor/src/backend/editor.ts b/modules/code-editor/src/backend/editor.ts
@@ -17,8 +17,6 @@ import {
   RAW_TYPE
 } from './utils'
 
-export const FILENAME_REGEX = /^[0-9a-zA-Z_\-.]+$/
-
 const RAW_FILES_FILTERS = ['**/*.map', 'modules/.cache/**/*', 'modules/*.cache', 'modules/*.temp_cache']
 
 export default class Editor {
@@ -161,9 +159,7 @@ export default class Editor {
   }
 
   async renameFile(file: EditableFile, newName: string): Promise<void> {
-    if (file.type !== RAW_TYPE) {
-      assertValidFilename(newName)
-    }
+    assertValidFilename(newName)
 
     const { folder, filename } = getFileLocation(file)
     const newFilename = filename.replace(filename, newName)

diff --git a/modules/code-editor/src/backend/utils.ts b/modules/code-editor/src/backend/utils.ts
@@ -1,9 +1,9 @@
 import { BUILTIN_MODULES } from 'common/defaults'
+import { isValid } from 'common/utils'
 import jsonlintMod from 'jsonlint-mod'
 import _ from 'lodash'
 
 import { FileDefinition, FileTypes } from './definitions'
-import { FILENAME_REGEX } from './editor'
 import { EditorError } from './editorError'
 import { EditableFile, FilePermissions, FileType } from './typings'
 
@@ -37,7 +37,7 @@ export const assertValidJson = (content: string): boolean => {
 }
 
 export const assertValidFilename = (filename: string) => {
-  if (!FILENAME_REGEX.test(filename)) {
+  if (!isValid(filename, 'path')) {
     throw new EditorError('Filename has invalid characters')
   }
 }
@@ -95,10 +95,7 @@ export const validateFilePayload = async (
     throw new EditorError(`Invalid file name. Must match ${def.filenames}`)
   }
 
-  // Skip standard validation for raw, since you can set a complete folder path
-  if (type !== RAW_TYPE) {
-    assertValidFilename(name)
-  }
+  assertValidFilename(name)
 }
 
 export const buildRestrictedProcessVars = () => {

diff --git a/packages/bp/src/common/utils.test.ts b/packages/bp/src/common/utils.test.ts
@@ -0,0 +1,10 @@
+import { sanitize, isValid } from './utils'
+
+test('test invalid paths', () => {
+  expect(isValid('../folder', 'path')).toEqual(false)
+  expect(isValid('../folder/file.js', 'path')).toEqual(false)
+  expect(isValid('folder/file.js', 'path')).toEqual(true)
+  expect(isValid('folder/../file.js', 'path')).toEqual(false)
+  expect(isValid('file.js', 'path')).toEqual(true)
+  expect(isValid('file..js', 'path')).toEqual(true)
+})
diff --git a/packages/bp/src/common/utils.ts b/packages/bp/src/common/utils.ts
@@ -29,3 +29,25 @@ export const getErrorMessage = (error: Error | string | unknown): string => {
 
   return ''
 }
+
+const regex = {
+  illegalFile: /[\/\?<>\\:\*\|"]/,
+  illegalPath: /[\?<>:\*\|"]/,
+  control: /[\x00-\x1f\x80-\x9f]/,
+  reserved: /\.\.+?(\/|\\)/g
+}
+
+export const isValid = (input: string, type: 'file' | 'path') => {
+  if (regex.control.test(input) || input.match(regex.reserved)) {
+    return false
+  }
+
+  return (type === 'file' && !regex.illegalFile.test(input)) || !regex.illegalPath.test(input)
+}
+
+export const sanitize = (input: string, type?: 'file' | 'path') => {
+  return input
+    .replace(regex.control, '')
+    .replace(regex.reserved, '')
+    .replace(type === 'path' ? regex.illegalPath : regex.illegalFile, '')
+}