Fixed: Uncontrolled data used in path expression

next-docs/pages/api/examples.ts

@@ -2,6 +2,7 @@ import fs from 'fs';
 import path from 'path';
 // Next.js API route support: https://nextjs.org/docs/api-routes/introduction
 import type { NextApiRequest, NextApiResponse } from 'next';
+import useFilteredRequestQuery, { filterAllowedSymbolsOnly, filterAlphaNumericOnly, filterSafePath } from '../../utils/useFilteredRequestQuery';
 
 type Data = {
   examples: Object;
@@ -59,7 +60,7 @@ export default async (req: NextApiRequest, res: NextApiResponse<Data>) => {
   const dirPath = path.resolve(
     './public',
     dirRelativeToPublicFolder,
-    component as string
+    useFilteredRequestQuery(component as string, filterAlphaNumericOnly)
   );
 
   const examples = await getFilesFromDirectory(dirPath);

next-docs/pages/api/styledExamples.ts

@@ -2,6 +2,7 @@ import fs from 'fs';
 import path from 'path';
 // Next.js API route support: https://nextjs.org/docs/api-routes/introduction
 import type { NextApiRequest, NextApiResponse } from 'next';
+import useFilteredRequestQuery, { filterAllowedSymbolsOnly, filterAlphaNumericOnly, filterSafePath } from '../../utils/useFilteredRequestQuery';
 
 type Data = {
   examples: Object;
@@ -59,7 +60,7 @@ export default async (req: NextApiRequest, res: NextApiResponse<Data>) => {
   const dirPath = path.resolve(
     './public',
     dirRelativeToPublicFolder,
-    component as string
+    useFilteredRequestQuery(component as string, filterAlphaNumericOnly)
   );
 
   const examples = await getFilesFromDirectory(dirPath);

next-docs/utils/useFilteredRequestQuery.ts

@@ -0,0 +1,66 @@
+export type Patterns = {
+  [K: string]: (path: string) => string;
+}
+
+/* Allows letters, digits, dashes, dots, slashes.
+  Denies: leading/trailing/multiple dots,
+  leading/trailing/multiple slashes,
+  dots-slashes combinations.
+  Returns: resulting string.
+*/
+
+export const filterSafePath: Patterns = {
+  trimRepeatedSymbols: (path: string) => {
+    const pattern = new RegExp('([\\.]{2,})|([\\/]{2,})|([\\\\]{2,})', 'g');
+    return path.replace(pattern, (match) => { return match[0]; })
+  },
+  removeDottedSlashes: (path: string) => {
+    const pattern = new RegExp('(\\.\\\\)|(\\.\\/)|(\\\\\\.)|(\\/\\.)', 'g');
+    return path.replace(pattern, '');
+  },
+  removeUnallowedSymbols: (path: string) => {
+    const pattern = new RegExp('([^\\w\\d\\.\\/\\\\-]+)', 'g');
+    return path.replace(pattern, '');
+  },
+  trimSymbols: (path: string) => {
+    const pattern = new RegExp('(^[\\.\\\\\\/]+)|([\\.\\\\\\/]+)$', 'g');
+    return path.replace(pattern, '');
+  }
+}
+
+/* Allows letters, digits, dashes.
+  Returns if matched: result string,
+  otherwise: empty string;
+*/
+export const filterAllowedSymbolsOnly: Patterns = {
+  ...filterSafePath,
+  getPath: (path: string) => {
+    const matched = path.match(new RegExp('^([\\w\\d-]+)$', 'gi'));
+    return matched === null ? '' : matched[0];
+  }
+}
+
+/* Allows alphanumeric symbols.
+  Returns if matched: result string,
+  otherwise: empty string;
+*/
+export const filterAlphaNumericOnly: Patterns = {
+  ...filterSafePath,
+  getPath: (path: string) => {
+    const matched = path.match(new RegExp('^([\\w]+)$', 'gi'));
+    return matched === null ? '' : matched[0];
+  }
+}
+
+const useFilteredRequestQuery = (path: string, patterns: Patterns, defaultPath: string = '') => {
+  let threatedPath = path;
+  for (const pattern of Object.values(patterns)) {
+    threatedPath = pattern(threatedPath);
+  }
+
+  return threatedPath.length
+    ? threatedPath
+    : defaultPath;
+};
+
+export default useFilteredRequestQuery;