fix(web-console): fixing a Path Traversal Vulnerability (#321)

JafarAkhondali · glasstiger · goodroot · web-flow · commit 4cae3d464ca5 · 2025-03-12T12:50:51.000-07:00
Block malicious looking requests to prevent path traversal attacks.

Co-authored-by: glasstiger &lt;94906625+glasstiger@users.noreply.github.com&gt;
Co-authored-by: goodroot &lt;9484709+goodroot@users.noreply.github.com&gt;
diff --git a/packages/web-console/serve-dist.js b/packages/web-console/serve-dist.js
@@ -6,6 +6,11 @@ const path = require("path")
 const contextPath = process.env.QDB_HTTP_CONTEXT_WEB_CONSOLE || ""
 
 const server = http.createServer((req, res) => {
+    if (path.normalize(decodeURI(req.url)) !== decodeURI(req.url)) {
+        res.statusCode = 403;
+        res.end();
+        return;
+    }
   const { method } = req
   const baseUrl =  "http://" + req.headers.host + contextPath;
   const reqUrl = new url.URL(req.url, baseUrl);
