security(web): sanitize WhatsApp accountId to prevent path traversal
Add normalizeAccountId() to sanitize account IDs before use in path.join(), preventing potential path traversal attacks via malicious config values. This follows the same pattern already used in src/telegram/update-offset-store.ts for Telegram account ID sanitization. Fixes #2692
This commit is contained in:
parent
72fea5e305
commit
16a7964493
@ -1 +1 @@
|
||||
2567ca5bbc065b922d96717a488d5db3120b5b033c5d0508682d1aa8fbba470a
|
||||
098343e65655850312863011a5c06be0ee15d31a815e6150f65cbd101306f5b3
|
||||
|
||||
@ -85,8 +85,18 @@ function resolveAccountConfig(
|
||||
return entry;
|
||||
}
|
||||
|
||||
/**
|
||||
* Normalize accountId to prevent path traversal attacks.
|
||||
* Strips any characters that could be used to escape the directory structure.
|
||||
*/
|
||||
function normalizeAccountId(accountId: string): string {
|
||||
const trimmed = accountId.trim();
|
||||
if (!trimmed) return "default";
|
||||
return trimmed.replace(/[^a-z0-9._-]+/gi, "_");
|
||||
}
|
||||
|
||||
function resolveDefaultAuthDir(accountId: string): string {
|
||||
return path.join(resolveOAuthDir(), "whatsapp", accountId);
|
||||
return path.join(resolveOAuthDir(), "whatsapp", normalizeAccountId(accountId));
|
||||
}
|
||||
|
||||
function resolveLegacyAuthDir(): string {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user