CodeQL fixes 2

Rajat · Rajat · commit 0314e521e3af · 2026-01-15T10:55:53.000+05:30
diff --git a/apps/web/app/api/scorm/lesson/[lessonId]/runtime/route.ts b/apps/web/app/api/scorm/lesson/[lessonId]/runtime/route.ts
@@ -197,7 +197,8 @@ function setNestedValue(obj: any, path: string, value: unknown): void {
         }
         if (current[part] === undefined) {
             const nextPart = parts[i + 1];
-            current[part] = /^\d+$/.test(nextPart) ? [] : {};
+            // Use Object.create(null) to create objects without prototype chain
+            current[part] = /^\d+$/.test(nextPart) ? [] : Object.create(null);
         }
         current = current[part];
     }
diff --git a/apps/web/components/public/lesson-viewer/scorm-viewer.tsx b/apps/web/components/public/lesson-viewer/scorm-viewer.tsx
@@ -328,7 +328,8 @@ function setNestedValue(obj: any, path: string, value: unknown): void {
         }
 
         if (current[part] === undefined || current[part] === null) {
-            current[part] = {};
+            // Use Object.create(null) to create objects without prototype chain
+            current[part] = Object.create(null);
         }
 
         current = current[part];
diff --git a/apps/web/lib/scorm/cache.ts b/apps/web/lib/scorm/cache.ts
@@ -113,6 +113,30 @@ async function fetchZipFromMediaLit(
     }
 }
 
+/**
+ * Validate ZIP entry name to prevent directory traversal
+ */
+function isSafeZipEntryName(entryName: string): boolean {
+    if (!entryName) return false;
+
+    // ZIP specification uses '/' as directory separator; reject backslashes
+    if (entryName.includes("\\")) return false;
+
+    // Reject absolute paths or Windows drive-letter paths (e.g. "C:...").
+    if (entryName.startsWith("/")) return false;
+    if (/^[a-zA-Z]:/.test(entryName)) return false;
+
+    // Normalize and ensure there are no ".." segments.
+    const segments = entryName.split("/");
+    for (const segment of segments) {
+        if (segment === "..") {
+            return false;
+        }
+    }
+
+    return true;
+}
+
 /**
  * Extract ZIP to disk directory
  */
@@ -130,6 +154,14 @@ async function extractZipToDisk(
     const resolvedExtractDir = path.resolve(extractDir);
     for (const entry of zip.getEntries()) {
         if (!entry.isDirectory) {
+            // Validate entry name to prevent directory traversal (Zip Slip)
+            if (!isSafeZipEntryName(entry.entryName)) {
+                error("Skipping unsafe ZIP entry name during extraction", {
+                    entryName: entry.entryName,
+                });
+                continue;
+            }
+
             const targetPath = path.join(resolvedExtractDir, entry.entryName);
             const resolvedTargetPath = path.resolve(targetPath);
 

Original file line number	Diff line number	Diff line change
`@@ -197,7 +197,8 @@ function setNestedValue(obj: any, path: string, value: unknown): void {`
`197`	`197`	`}`
`198`	`198`	`if (current[part] === undefined) {`
`199`	`199`	`const nextPart = parts[i + 1];`
`200`		`- current[part] = /^\d+$/.test(nextPart) ? [] : {};`
	`200`	`+ // Use Object.create(null) to create objects without prototype chain`
	`201`	`+ current[part] = /^\d+$/.test(nextPart) ? [] : Object.create(null);`
`201`	`202`	`}`
`202`	`203`	`current = current[part];`
`203`	`204`	`}`
Original file line number	Diff line number	Diff line change
`@@ -328,7 +328,8 @@ function setNestedValue(obj: any, path: string, value: unknown): void {`
`328`	`328`	`}`
`329`	`329`
`330`	`330`	`if (current[part] === undefined \|\| current[part] === null) {`
`331`		`- current[part] = {};`
	`331`	`+ // Use Object.create(null) to create objects without prototype chain`
	`332`	`+ current[part] = Object.create(null);`
`332`	`333`	`}`
`333`	`334`
`334`	`335`	`current = current[part];`