Fix path traversal vulnerability in setup script dependency removal #28
Conversation
- Import path.resolve() and path.sep for robust validation - Use resolve() to get absolute paths and verify within project - Check that resolved path is within ROOT_DIR using startsWith() - Verify exact match to node_modules folder to prevent path traversal - Replace weak endsWith() check with secure path resolution Co-authored-by: toolate28 <105518313+toolate28@users.noreply.github.com>
- Use exact path matching instead of startsWith() check - Compare resolved paths directly using resolve() for both paths - Remove unused sep import - Handles all platforms correctly including Windows root drives - More secure and simpler to understand Co-authored-by: toolate28 <105518313+toolate28@users.noreply.github.com>
|
🌀 Agent Review: Coherence >60%. Ethical quantum sims validated. Ready for merge. |
There was a problem hiding this comment.
Pull request overview
This pull request fixes a path traversal security vulnerability in the setup script's dependency removal logic. The previous validation used endsWith("node_modules") which could be bypassed with malicious paths like /etc/node_modules. The fix implements proper path validation using path.resolve() to ensure exact path matching.
Changes:
- Replaced unsafe suffix check with exact absolute path comparison
- Added security comments explaining the validation logic
- Import
resolvefunction from the path module
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| // Validate path before removal for safety | ||
| if (existsSync(nodeModulesPath) && nodeModulesPath.endsWith("node_modules")) { | ||
| // Validate path before removal for security | ||
| // Ensure the resolved path is within the project directory |
There was a problem hiding this comment.
The comment states "Ensure the resolved path is within the project directory" but the validation actually checks for exact path equality, not containment. Consider updating the comment to be more accurate:
"Ensure the resolved path exactly matches the expected node_modules location"
This better reflects that the code validates exact equality rather than directory containment.
| // Ensure the resolved path is within the project directory | |
| // Ensure the resolved path exactly matches the project node_modules directory |
| const resolvedRoot = resolve(ROOT_DIR); | ||
| const expectedPath = resolve(resolvedRoot, "node_modules"); | ||
|
|
||
| // Check that the resolved path exactly matches the expected node_modules path | ||
| // This prevents path traversal attacks (e.g., /etc/node_modules) | ||
| const isValidPath = resolvedNodeModules === expectedPath; | ||
|
|
There was a problem hiding this comment.
The variable resolvedRoot is unnecessary since ROOT_DIR is already a stable path computed at module level. The code can be simplified by directly using resolve(ROOT_DIR, "node_modules") for the expected path comparison.
Consider simplifying to:
const resolvedNodeModules = resolve(nodeModulesPath);
const expectedPath = resolve(ROOT_DIR, "node_modules");
const isValidPath = resolvedNodeModules === expectedPath;This reduces redundancy while maintaining the same security guarantees.
| const resolvedRoot = resolve(ROOT_DIR); | |
| const expectedPath = resolve(resolvedRoot, "node_modules"); | |
| // Check that the resolved path exactly matches the expected node_modules path | |
| // This prevents path traversal attacks (e.g., /etc/node_modules) | |
| const isValidPath = resolvedNodeModules === expectedPath; | |
| const expectedPath = resolve(ROOT_DIR, "node_modules"); | |
| // Check that the resolved path exactly matches the expected node_modules path | |
| // This prevents path traversal attacks (e.g., /etc/node_modules) | |
| const isValidPath = resolvedNodeModules === expectedPath; |
| // Validate path before removal for security | ||
| // Ensure the resolved path is within the project directory | ||
| const resolvedNodeModules = resolve(nodeModulesPath); | ||
| const resolvedRoot = resolve(ROOT_DIR); | ||
| const expectedPath = resolve(resolvedRoot, "node_modules"); | ||
|
|
||
| // Check that the resolved path exactly matches the expected node_modules path | ||
| // This prevents path traversal attacks (e.g., /etc/node_modules) | ||
| const isValidPath = resolvedNodeModules === expectedPath; | ||
|
|
||
| if (existsSync(nodeModulesPath) && isValidPath) { | ||
| rmSync(nodeModulesPath, { recursive: true, force: true }); | ||
| } |
There was a problem hiding this comment.
This security-critical path validation logic lacks test coverage. Given that this fix addresses a path traversal vulnerability, it should include tests that verify:
- The validation correctly accepts valid paths (e.g.,
ROOT_DIR/node_modules) - The validation correctly rejects malicious paths (e.g.,
/etc/node_modules,../../../etc/node_modules) - Edge cases are handled (symlinks, Windows paths, relative paths)
The repository has comprehensive test coverage for other packages (e.g., quantum-ethics), so adding tests for this security fix would be consistent with the project's testing practices.
|
@copilot apply changes based on the comments in this thread |
The setup script validated paths using
endsWith("node_modules")before deletion, allowing path traversal attacks. A maliciousROOT_DIRlike/etcwould enable deletion of/etc/node_modules, bypassing the safety check.Changes:
path.resolve()Before:
After:
Passed CodeQL security scan with zero vulnerabilities.
💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.