From 16a7964493111960733db825a2ef9f099c0b017f Mon Sep 17 00:00:00 2001 From: "Robby (AI-assisted)" Date: Tue, 27 Jan 2026 09:24:24 +0000 Subject: [PATCH] security(web): sanitize WhatsApp accountId to prevent path traversal Add normalizeAccountId() to sanitize account IDs before use in path.join(), preventing potential path traversal attacks via malicious config values. This follows the same pattern already used in src/telegram/update-offset-store.ts for Telegram account ID sanitization. Fixes #2692 --- src/canvas-host/a2ui/.bundle.hash | 2 +- src/web/accounts.ts | 12 +++++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/src/canvas-host/a2ui/.bundle.hash b/src/canvas-host/a2ui/.bundle.hash index 19a232f5c..586ab5545 100644 --- a/src/canvas-host/a2ui/.bundle.hash +++ b/src/canvas-host/a2ui/.bundle.hash @@ -1 +1 @@ -2567ca5bbc065b922d96717a488d5db3120b5b033c5d0508682d1aa8fbba470a +098343e65655850312863011a5c06be0ee15d31a815e6150f65cbd101306f5b3 diff --git a/src/web/accounts.ts b/src/web/accounts.ts index 3af151526..4e39b4d30 100644 --- a/src/web/accounts.ts +++ b/src/web/accounts.ts @@ -85,8 +85,18 @@ function resolveAccountConfig( return entry; } +/** + * Normalize accountId to prevent path traversal attacks. + * Strips any characters that could be used to escape the directory structure. + */ +function normalizeAccountId(accountId: string): string { + const trimmed = accountId.trim(); + if (!trimmed) return "default"; + return trimmed.replace(/[^a-z0-9._-]+/gi, "_"); +} + function resolveDefaultAuthDir(accountId: string): string { - return path.join(resolveOAuthDir(), "whatsapp", accountId); + return path.join(resolveOAuthDir(), "whatsapp", normalizeAccountId(accountId)); } function resolveLegacyAuthDir(): string {