security(web): sanitize WhatsApp accountId to prevent path traversal

Add normalizeAccountId() to sanitize account IDs before use in path.join(),
preventing potential path traversal attacks via malicious config values.

This follows the same pattern already used in src/telegram/update-offset-store.ts
for Telegram account ID sanitization.

Fixes #2692
This commit is contained in:
Robby (AI-assisted) 2026-01-27 09:24:24 +00:00
parent 72fea5e305
commit 16a7964493
2 changed files with 12 additions and 2 deletions

View File

@ -1 +1 @@
2567ca5bbc065b922d96717a488d5db3120b5b033c5d0508682d1aa8fbba470a
098343e65655850312863011a5c06be0ee15d31a815e6150f65cbd101306f5b3

View File

@ -85,8 +85,18 @@ function resolveAccountConfig(
return entry;
}
/**
* Normalize accountId to prevent path traversal attacks.
* Strips any characters that could be used to escape the directory structure.
*/
function normalizeAccountId(accountId: string): string {
const trimmed = accountId.trim();
if (!trimmed) return "default";
return trimmed.replace(/[^a-z0-9._-]+/gi, "_");
}
function resolveDefaultAuthDir(accountId: string): string {
return path.join(resolveOAuthDir(), "whatsapp", accountId);
return path.join(resolveOAuthDir(), "whatsapp", normalizeAccountId(accountId));
}
function resolveLegacyAuthDir(): string {