bretton.dev
Coves frontend - a photon fork
1/**
2 * Validates a proxy path for security issues.
3 * Returns an error message if the path is invalid, or null if it's safe.
4 *
5 * Security checks performed:
6 * 1. Null bytes - can be used to bypass filters or truncate paths
7 * 2. Protocol schemes - prevents javascript:, data:, or other protocol injection
8 * 3. Path traversal - blocks ../ patterns and their encoded variants
9 * 4. Backslash - Windows separator that could bypass Unix-style checks
10 * 5. Encoded separators - %2F (/), %5C (\) that could bypass validation
11 */
12export function validateProxyPath(path: string): string | null {
13 // Check for null bytes (can be used to bypass filters)
14 if (path.includes('\x00')) {
15 return 'Invalid path: null bytes not allowed'
16 }
17
18 // Check for protocol injection attempts
19 if (/^[a-z][a-z0-9+.-]*:/i.test(path)) {
20 return 'Invalid path: protocol schemes not allowed'
21 }
22
23 // Check for path traversal patterns
24 // This catches: ../, ..\, and URL-encoded variants like %2F, %5C
25 const traversalPattern =
26 /(?:^|[\\/])\.\.(?:[\\/]|$)|%2e%2e|%252e|%c0%ae|%c1%9c/i
27 if (traversalPattern.test(path)) {
28 return 'Invalid path: path traversal not allowed'
29 }
30
31 // Check for backslash (Windows path separator that could bypass checks)
32 if (path.includes('\\')) {
33 return 'Invalid path: backslash not allowed'
34 }
35
36 // Check for URL-encoded separators that might bypass validation
37 // %2F = /, %5C = \
38 if (/%2f|%5c/i.test(path)) {
39 return 'Invalid path: encoded path separators not allowed'
40 }
41
42 return null
43}