refactor(security): harden temp-path handling for inbound media

2026-02-19 14:06:11 +01:00
parent 9f9cd5cbb2
commit ec232a9e2d
10 changed files with 235 additions and 41 deletions
--- a/src/plugin-sdk/temp-path.test.ts
+++ b/src/plugin-sdk/temp-path.test.ts
@@ -1,7 +1,8 @@
+import fs from "node:fs/promises";
 import os from "node:os";
 import path from "node:path";
 import { describe, expect, it } from "vitest";
-import { buildRandomTempFilePath } from "./temp-path.js";
+import { buildRandomTempFilePath, withTempDownloadPath } from "./temp-path.js";

 describe("buildRandomTempFilePath", () => {
  it("builds deterministic paths when now/uuid are provided", () => {
@@ -30,3 +31,41 @@ describe("buildRandomTempFilePath", () => {
    expect(result).not.toContain("..");
  });
 });
+
+describe("withTempDownloadPath", () => {
+  it("creates a temp path under tmp dir and cleans up the temp directory", async () => {
+    let capturedPath = "";
+    await withTempDownloadPath(
+      {
+        prefix: "line-media",
+      },
+      async (tmpPath) => {
+        capturedPath = tmpPath;
+        await fs.writeFile(tmpPath, "ok");
+      },
+    );
+
+    expect(capturedPath).toContain(path.join(os.tmpdir(), "line-media-"));
+    await expect(fs.stat(capturedPath)).rejects.toMatchObject({ code: "ENOENT" });
+  });
+
+  it("sanitizes prefix and fileName", async () => {
+    let capturedPath = "";
+    await withTempDownloadPath(
+      {
+        prefix: "../../line/../media",
+        fileName: "../../evil.bin",
+      },
+      async (tmpPath) => {
+        capturedPath = tmpPath;
+      },
+    );
+
+    const tmpRoot = path.resolve(os.tmpdir());
+    const resolved = path.resolve(capturedPath);
+    const rel = path.relative(tmpRoot, resolved);
+    expect(rel === ".." || rel.startsWith(`..${path.sep}`)).toBe(false);
+    expect(path.basename(capturedPath)).toBe("evil.bin");
+    expect(capturedPath).not.toContain("..");
+  });
+});