Merge pull request from GHSA-44cc-43rp-5947

Co-authored-by: Frédéric Collonval <[email protected]>
(cherry picked from commit 19bd9b9)

Author: krassowski

packages/apputils-extension/src/workspacesplugin.ts

@@ -218,7 +218,11 @@ namespace Private {
         await this._state.save(LAST_SAVE_ID, path);
 
         // Navigate to new workspace.
-        const url = URLExt.join(this._application, 'workspaces', id);
+        const workspacesBase = URLExt.join(this._application, 'workspaces');
+        const url = URLExt.join(workspacesBase, id);
+        if (!workspacesBase.startsWith(url)) {
+          throw new Error('Can only be used for workspaces');
+        }
         if (this._router) {
           this._router.navigate(url, { hard: true });
         } else {

packages/hub-extension/src/index.ts

@@ -56,9 +56,16 @@ function activateHubExtension(
   });
 
   // If hubServerName is set, use JupyterHub 1.0 URL.
-  const restartUrl = hubServerName
-    ? hubHost + URLExt.join(hubPrefix, 'spawn', hubUser, hubServerName)
-    : hubHost + URLExt.join(hubPrefix, 'spawn');
+  const spawnBase = URLExt.join(hubPrefix, 'spawn');
+  let restartUrl: string;
+  if (hubServerName) {
+    const suffix = URLExt.join(spawnBase, hubUser, hubServerName);
+    if (!suffix.startsWith(spawnBase)) {
+      throw new Error('Can only be used for spawn requests');
+    }
+    restartUrl = hubHost + suffix;
+  }
+  restartUrl = hubHost + spawnBase;
 
   const { commands } = app;
 

packages/services/src/session/restapi.ts

@@ -42,7 +42,12 @@ export async function listRunning(
  * Get a session url.
  */
 export function getSessionUrl(baseUrl: string, id: string): string {
-  return URLExt.join(baseUrl, SESSION_SERVICE_URL, id);
+  const servicesBase = URLExt.join(baseUrl, SESSION_SERVICE_URL);
+  const result = URLExt.join(servicesBase, id);
+  if (!result.startsWith(servicesBase)) {
+    throw new Error('Can only be used for services requests');
+  }
+  return result;
 }
 
 /**

packages/services/src/setting/index.ts

@@ -149,6 +149,11 @@ namespace Private {
    * Get the url for a plugin's settings.
    */
   export function url(base: string, id: string): string {
-    return URLExt.join(base, SERVICE_SETTINGS_URL, id);
+    const settingsBase = URLExt.join(base, SERVICE_SETTINGS_URL);
+    const result = URLExt.join(settingsBase, id);
+    if (!result.startsWith(settingsBase)) {
+      throw new Error('Can only be used for workspaces requests');
+    }
+    return result;
   }
 }

packages/services/src/terminal/restapi.ts

@@ -101,7 +101,11 @@ export async function shutdownTerminal(
   settings: ServerConnection.ISettings = ServerConnection.makeSettings()
 ): Promise<void> {
   Private.errorIfNotAvailable();
-  const url = URLExt.join(settings.baseUrl, TERMINAL_SERVICE_URL, name);
+  const workspacesBase = URLExt.join(settings.baseUrl, TERMINAL_SERVICE_URL);
+  const url = URLExt.join(workspacesBase, name);
+  if (!url.startsWith(workspacesBase)) {
+    throw new Error('Can only be used for terminal requests');
+  }
   const init = { method: 'DELETE' };
   const response = await ServerConnection.makeRequest(url, init, settings);
   if (response.status === 404) {

packages/services/src/workspace/index.ts

@@ -178,6 +178,11 @@ namespace Private {
    * Get the url for a workspace.
    */
   export function url(base: string, id: string): string {
-    return URLExt.join(base, SERVICE_WORKSPACES_URL, id);
+    const workspacesBase = URLExt.join(base, SERVICE_WORKSPACES_URL);
+    const result = URLExt.join(workspacesBase, id);
+    if (!result.startsWith(workspacesBase)) {
+      throw new Error('Can only be used for workspaces requests');
+    }
+    return result;
   }
 }

packages/services/test/session/session.spec.ts

@@ -157,5 +157,9 @@ describe('session', () => {
     it('should handle a 404 status', () => {
       return SessionAPI.shutdownSession(UUID.uuid4());
     });
+
+    it('should reject invalid on invalid id', async () => {
+      await expect(SessionAPI.shutdownSession('../')).rejects.toThrow();
+    });
   });
 });

packages/services/test/setting/manager.spec.ts

@@ -53,6 +53,15 @@ describe('setting', () => {
 
         expect((await manager.fetch(id)).id).toBe(id);
       });
+
+      it('should reject on invalid id', async () => {
+        const id = '../';
+
+        const callback = async () => {
+          await manager.fetch(id);
+        };
+        await expect(callback).rejects.toThrow();
+      });
     });
 
     describe('#save()', () => {
@@ -64,6 +73,17 @@ describe('setting', () => {
         await manager.save(id, raw);
         expect(JSON.parse((await manager.fetch(id)).raw).theme).toBe(theme);
       });
+
+      it('should reject on invalid id', async () => {
+        const id = '../';
+        const theme = 'Foo Theme';
+        const raw = `{"theme": "${theme}"}`;
+
+        const callback = async () => {
+          await manager.save(id, raw);
+        };
+        await expect(callback).rejects.toThrow();
+      });
     });
   });
 });

packages/services/test/workspace/manager.spec.ts

@@ -55,6 +55,15 @@ describe('workspace', () => {
         expect((await manager.fetch(id)).metadata.id).toBe(id);
         await manager.remove(id);
       });
+
+      it('should reject on invalid id', async () => {
+        const id = '../';
+
+        const callback = async () => {
+          await manager.fetch(id);
+        };
+        await expect(callback).rejects.toThrow();
+      });
     });
 
     describe('#list()', () => {
@@ -87,6 +96,15 @@ describe('workspace', () => {
         expect((await manager.fetch(id)).metadata.id).toBe(id);
         await manager.remove(id);
       });
+
+      it('should reject on invalid id', async () => {
+        const id = '../';
+
+        const callback = async () => {
+          await manager.save(id, { data: {}, metadata: { id } });
+        };
+        await expect(callback).rejects.toThrow();
+      });
     });
   });
 });

packages/translation/src/server.ts

@@ -27,7 +27,11 @@ export async function requestTranslationsAPI<T>(
   const settings = serverSettings ?? ServerConnection.makeSettings();
   translationsUrl =
     translationsUrl || `${settings.appUrl}/${TRANSLATIONS_SETTINGS_URL}/`;
-  const requestUrl = URLExt.join(settings.baseUrl, translationsUrl, locale);
+  const translationsBase = URLExt.join(settings.baseUrl, translationsUrl);
+  const requestUrl = URLExt.join(translationsBase, locale);
+  if (!requestUrl.startsWith(translationsBase)) {
+    throw new Error('Can only be used for translations requests');
+  }
   let response: Response;
   try {
     response = await ServerConnection.makeRequest(requestUrl, init, settings);