CodeQL fixes

Author: Rajat

apps/web/app/api/scorm/lesson/[lessonId]/runtime/route.ts

@@ -181,14 +181,31 @@ export async function POST(
 
 function setNestedValue(obj: any, path: string, value: unknown): void {
     const parts = path.split(".");
+
+    const isUnsafeKey = (key: string): boolean => {
+        return (
+            key === "__proto__" || key === "constructor" || key === "prototype"
+        );
+    };
+
     let current = obj;
     for (let i = 0; i < parts.length - 1; i++) {
         const part = parts[i];
+        if (isUnsafeKey(part)) {
+            // Prevent prototype pollution by ignoring unsafe path segments
+            return;
+        }
         if (current[part] === undefined) {
             const nextPart = parts[i + 1];
             current[part] = /^\d+$/.test(nextPart) ? [] : {};
         }
         current = current[part];
     }
-    current[parts[parts.length - 1]] = value;
+    const lastPart = parts[parts.length - 1];
+    if (isUnsafeKey(lastPart)) {
+        // Prevent prototype pollution on final assignment
+        return;
+    }
+
+    current[lastPart] = value;
 }

apps/web/components/public/lesson-viewer/scorm-viewer.tsx

@@ -309,17 +309,41 @@ function getNestedValue(obj: any, path: string): unknown {
     return path.split(".").reduce((curr, key) => curr?.[key], obj);
 }
 
+// Guard against prototype pollution by blocking dangerous keys
+function isUnsafeKey(key: string): boolean {
+    return key === "__proto__" || key === "constructor" || key === "prototype";
+}
+
 // Helper to set nested value in object
 function setNestedValue(obj: any, path: string, value: unknown): void {
     const parts = path.split(".");
-    let current = obj;
+    let current: any = obj;
+
     for (let i = 0; i < parts.length - 1; i++) {
-        if (current[parts[i]] === undefined) {
-            current[parts[i]] = {};
+        const part = parts[i];
+
+        // Prevent prototype pollution via unsafe keys
+        if (isUnsafeKey(part)) {
+            return;
+        }
+
+        if (current[part] === undefined || current[part] === null) {
+            current[part] = {};
+        }
+
+        current = current[part];
+        if (typeof current !== "object") {
+            // Cannot safely nest further into non-object
+            return;
         }
-        current = current[parts[i]];
     }
-    current[parts[parts.length - 1]] = value;
+
+    const lastPart = parts[parts.length - 1];
+    if (isUnsafeKey(lastPart)) {
+        return;
+    }
+
+    current[lastPart] = value;
 }
 
 export default ScormViewer;

apps/web/lib/scorm/cache.ts

@@ -127,11 +127,31 @@ async function extractZipToDisk(
     await fs.mkdir(extractDir, { recursive: true });
 
     // Extract all files
+    const resolvedExtractDir = path.resolve(extractDir);
     for (const entry of zip.getEntries()) {
         if (!entry.isDirectory) {
-            const targetPath = path.join(extractDir, entry.entryName);
-            await fs.mkdir(path.dirname(targetPath), { recursive: true });
-            await fs.writeFile(targetPath, new Uint8Array(entry.getData()));
+            const targetPath = path.join(resolvedExtractDir, entry.entryName);
+            const resolvedTargetPath = path.resolve(targetPath);
+
+            // Prevent Zip Slip / directory traversal: ensure target stays within extractDir
+            if (
+                resolvedTargetPath !== resolvedExtractDir &&
+                !resolvedTargetPath.startsWith(resolvedExtractDir + path.sep)
+            ) {
+                error("Skipping suspicious ZIP entry path during extraction", {
+                    entryName: entry.entryName,
+                    targetPath: resolvedTargetPath,
+                });
+                continue;
+            }
+
+            await fs.mkdir(path.dirname(resolvedTargetPath), {
+                recursive: true,
+            });
+            await fs.writeFile(
+                resolvedTargetPath,
+                new Uint8Array(entry.getData()),
+            );
         }
     }
 }