Skip to content

fix: Implement path validation, rate limiting and Input safety across core modules #2587

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

fix: Implement path validation, rate limiting and Input safety across core modules #2587

wants to merge 11 commits into from
+110 −21

Conversation

odaysec
Copy link

@odaysec odaysec commented Oct 13, 2025
edited
Loading

Summary of Changes

This pull request addresses several security vulnerabilities in the linode/apl-core project, focusing on improving path safety, rate limiting, and input validation to prevent denial-of-service (DoS) and path traversal attacks.
The changes enhance the reliability and security of multiple modules, particularly server.ts, crypt.ts, utils.ts, and repo.ts, by ensuring that all file system and input operations are properly constrained and validated.

Rate Limiting for /prepare Route (src/server.ts)

The /prepare route performs potentially expensive file operations without limiting the number of incoming requests. This allows attackers to flood the endpoint and cause resource exhaustion (DoS).

Fix:

  • Introduced rate limiting using the express-rate-limit middleware.
  • Configured a limit (e.g., 10 requests per minute) specifically for the /prepare route.
  • Added middleware setup above the route definition and applied it directly via app.get('/prepare', limiter, ...).

This ensures that excessive or abusive request patterns are throttled effectively.

Validation of Untrusted .length Property (src/common/crypt.ts)

Using .length on untrusted input (filesArgs) could lead to unbounded iteration if a malicious object defines an excessively large or invalid .length value.

Fix:

  • Added validation to ensure filesArgs is a genuine array.
  • Verified that .length is a finite, non-negative integer and below a defined safe threshold (e.g., MAX_FILES = 1000).
  • Implemented truncation or rejection for unsafe or malformed input before processing.
  • Ensured getAllSecretFiles() results are also validated to prevent massive file enumeration.

This prevents potential denial-of-service attacks through loop-bound injection.

Path Traversal Protection (src/server.ts, src/common/utils.ts, src/common/repo.ts, src/common/crypt.ts)

Multiple functions construct or access file paths based on user-supplied input (envDir, directory paths, etc.) without ensuring they remain inside a safe root directory. This can allow path traversal and unauthorized access to sensitive files.

Fixes Implemented Across Files:

a. server.ts

  • Normalized and resolved user-supplied paths using path.resolve.
  • Defined a safe root directory for environment-related files.
  • Added checks ensuring that resolved paths start with the allowed root before performing any file system operations (e.g., copyFile).
  • Added a 403 Forbidden response when invalid paths are detected.

b. common/utils.ts

  • Updated readdirRecurse to verify that the target directory remains within rootDir or another predefined sandbox.
  • If validation fails, the function returns an empty list or logs a warning without performing unsafe filesystem operations.

c. common/repo.ts

  • Added a secure root constant (e.g., const ROOT = path.resolve('/var/data')).

  • Updated all functions using envDir (unsetValuesFile, setValuesFile, unsetValuesFileSync) to:

    • Resolve paths relative to this root.
    • Check that resolved paths start with ROOT before accessing the file system.

  • Prevented traversal beyond the designated directory hierarchy.

d. common/crypt.ts

  • Ensured that encryption and decryption routines only operate on paths under the allowed root directory.
  • Used path.resolve() and fs.realpathSync() to prevent both directory traversal and symbolic link manipulation.
  • Rejected operations early when paths are outside the intended environment root.

These combined fixes ensure that all filesystem interactions are constrained within trusted boundaries, effectively eliminating path traversal risks.

  • Prevents Loop bound injection from excessive or malicious HTTP requests.
  • Eliminates loop-bound injection vulnerabilities from untrusted .length properties.
  • Mitigates path traversal and arbitrary file access, protecting system integrity and sensitive data.
  • Strengthens trust boundaries between user input and server-side file operations.

Technical References

  • express-rate-limit NPM
  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • CWE-400: Uncontrolled Resource Consumption
  • CWE-606: Unchecked Input for Loop Condition

🧹 Checklist

  • Code is readable, maintainable, and robust.
  • Unit tests added/updated

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ferruhcihan ferruhcihan Awaiting requested review from ferruhcihan ferruhcihan is a code owner

@CasLubbers CasLubbers Awaiting requested review from CasLubbers CasLubbers is a code owner

@j-zimnowoda j-zimnowoda Awaiting requested review from j-zimnowoda j-zimnowoda is a code owner

@merll merll Awaiting requested review from merll merll is a code owner

@Ani1357 Ani1357 Awaiting requested review from Ani1357 Ani1357 is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@odaysec @svcAPLBot