fix: restrict device icon data URI parsing to prevent path traversal

The base64 image regex used a greedy `.+` for the extension capture,
letting values like `data:image/png/../../foo;base64,...` flow into
path.join() in saveBase64DeviceIcon and produce arbitrary file writes
via bridge/request/device/options. Anchor the regex, constrain the
extension and data character classes to safe sets, and reject
extensions outside an explicit allowlist.

Includes a regression test for non-allowlisted image extensions via
bridge/request/device/options.

Author: filips

lib/util/utils.ts

@@ -10,7 +10,8 @@ import type {Zigbee2MQTTAPI, Zigbee2MQTTResponse, Zigbee2MQTTResponseEndpoints,
 
 import data from "./data";
 
-const BASE64_IMAGE_REGEX = /data:image\/(?<extension>.+);base64,(?<data>.+)/;
+const BASE64_IMAGE_REGEX = /^data:image\/(?<extension>[A-Za-z0-9]+);base64,(?<data>[A-Za-z0-9+/=]+)$/;
+const ALLOWED_ICON_EXTENSIONS = new Set(["png", "jpg", "jpeg", "gif", "webp", "svg", "bmp"]);
 
 export const DEFAULT_BIND_GROUP_ID = 901;
 
@@ -386,8 +387,14 @@ function matchBase64File(value: string | undefined): {extension: string; data: s
 }
 
 function saveBase64DeviceIcon(base64Match: {extension: string; data: string}): string {
+    const extension = base64Match.extension.toLowerCase();
+
+    if (!ALLOWED_ICON_EXTENSIONS.has(extension)) {
+        throw new Error(`Unsupported icon extension '${base64Match.extension}'`);
+    }
+
     const md5Hash = crypto.createHash("md5").update(base64Match.data).digest("hex");
-    const fileSettings = `device_icons/${md5Hash}.${base64Match.extension}`;
+    const fileSettings = `device_icons/${md5Hash}.${extension}`;
     const file = path.join(data.getPath(), fileSettings);
     fs.mkdirSync(path.dirname(file), {recursive: true});
     fs.writeFileSync(file, base64Match.data, {encoding: "base64"});

test/extensions/bridge.test.ts

@@ -3442,6 +3442,20 @@ describe("Extension: Bridge", () => {
         );
     });
 
+    it("Should reject icon data URI with disallowed extension", async () => {
+        mockMQTTPublishAsync.mockClear();
+        const malicious = "data:image/exe;base64,QUFB";
+        mockMQTTEvents.message("zigbee2mqtt/bridge/request/device/options", stringify({options: {icon: malicious}, id: "bulb"}));
+        await flushPromises();
+
+        expect(mockMQTTPublishAsync).toHaveBeenCalledWith(
+            "zigbee2mqtt/bridge/response/device/options",
+            expect.stringContaining("Unsupported icon extension 'exe'"),
+            {},
+        );
+        expect(settings.getDevice("bulb").icon).toBeUndefined();
+    });
+
     it("Should allow to remove device option", async () => {
         mockMQTTPublishAsync.mockClear();
         settings.set(["devices", "0x000b57fffec6a5b2", "qos"], 1);