path fix

Author: cs-raj

packages/contentstack-export/src/commands/cm/stacks/export.ts

@@ -9,6 +9,7 @@ import {
   ContentstackClient,
   FlagInput,
   pathValidator,
+  sanitizePath,
 } from '@contentstack/cli-utilities';
 import { ModuleExporter } from '../../../export';
 import { setupExportConfig, log, formatError, writeExportMetaFile } from '../../../utils';
@@ -108,7 +109,7 @@ export default class ExportCommand extends Command {
       exportConfig.region = this.region;
       exportConfig.developerHubBaseUrl = this.developerHubUrl;
       if (this.personalizeUrl) exportConfig.modules.personalize.baseURL[exportConfig.region.name] = this.personalizeUrl;
-      exportDir = exportConfig.cliLogsPath || exportConfig.data || exportConfig.exportDir;
+      exportDir = sanitizePath(exportConfig.cliLogsPath || exportConfig.data || exportConfig.exportDir);
       const managementAPIClient: ContentstackClient = await managementSDKClient(exportConfig);
       const moduleExporter = new ModuleExporter(managementAPIClient, exportConfig);
       await moduleExporter.start();

packages/contentstack-export/src/utils/export-config-handler.ts

@@ -1,6 +1,6 @@
 import merge from 'merge';
 import * as path from 'path';
-import { configHandler, isAuthenticated, FlagInput, cliux } from '@contentstack/cli-utilities';
+import { configHandler, isAuthenticated, FlagInput, cliux, sanitizePath } from '@contentstack/cli-utilities';
 import defaultConfig from '../config';
 import { readFile } from './file-helper';
 import { askExportDir, askAPIKey } from './interactive';
@@ -15,14 +15,14 @@ const setupConfig = async (exportCmdFlags: any): Promise<ExportConfig> => {
     const externalConfig = await readFile(exportCmdFlags['config']);
     config = merge.recursive(config, externalConfig);
   }
-  config.exportDir = exportCmdFlags['data'] || exportCmdFlags['data-dir'] || config.data || (await askExportDir());
+  config.exportDir = sanitizePath(exportCmdFlags['data'] || exportCmdFlags['data-dir'] || config.data || (await askExportDir()));
 
   const pattern = /[*$%#<>{}!&?]/g;
   if (pattern.test(config.exportDir)) {
     cliux.print(`\nPlease add a directory path without any of the special characters: (*,&,{,},[,],$,%,<,>,?,!)`, {
       color: 'yellow',
     });
-    config.exportDir = await askExportDir();
+    config.exportDir = sanitizePath(await askExportDir());
   }
   config.exportDir = config.exportDir.replace(/['"]/g, '');
   config.exportDir = path.resolve(config.exportDir);

packages/contentstack-export/src/utils/logger.ts

@@ -137,7 +137,7 @@ function init(_logPath: string) {
 }
 
 export const log = async (config: ExportConfig, message: any, type: string) => {
-  const logsPath = config.cliLogsPath || config.data;
+  const logsPath = sanitizePath(config.cliLogsPath || config.data);
   // ignoring the type argument, as we are not using it to create a logfile anymore
   if (type !== 'error') {
     // removed type argument from init method

packages/contentstack-import-setup/src/utils/import-config-handler.ts

@@ -20,13 +20,13 @@ const setupConfig = async (importCmdFlags: any): Promise<ImportConfig> => {
   //   config = merge.recursive(config, externalConfig);
   // }
 
-  config.contentDir = importCmdFlags['data'] || importCmdFlags['data-dir'] || config.data || (await askContentDir());
+  config.contentDir = sanitizePath(importCmdFlags['data'] || importCmdFlags['data-dir'] || config.data || (await askContentDir()));
   const pattern = /[*$%#<>{}!&?]/g;
   if (pattern.test(config.contentDir)) {
     cliux.print(`\nPlease add a directory path without any of the special characters: (*,&,{,},[,],$,%,<,>,?,!)`, {
       color: 'yellow',
     });
-    config.contentDir = await askContentDir();
+    config.contentDir = sanitizePath(await askContentDir());
   }
   config.contentDir = config.contentDir.replace(/['"]/g, '');
   config.contentDir = path.resolve(config.contentDir);

packages/contentstack-import-setup/src/utils/logger.ts

@@ -140,7 +140,7 @@ function init(_logPath: string) {
 }
 
 export const log = async (config: ImportConfig, message: any, type: string) => {
-  config.cliLogsPath = config.cliLogsPath || config.data || path.join(__dirname, 'logs');
+  config.cliLogsPath = sanitizePath(config.cliLogsPath || config.data || path.join(__dirname, 'logs'));
   // ignoring the type argument, as we are not using it to create a logfile anymore
   if (type !== 'error') {
     // removed type argument from init method

packages/contentstack-import/src/utils/import-config-handler.ts

@@ -20,13 +20,13 @@ const setupConfig = async (importCmdFlags: any): Promise<ImportConfig> => {
     config = merge.recursive(config, externalConfig);
   }
 
-  config.contentDir = importCmdFlags['data'] || importCmdFlags['data-dir'] || config.data || (await askContentDir());
+  config.contentDir = sanitizePath(importCmdFlags['data'] || importCmdFlags['data-dir'] || config.data || (await askContentDir()));
   const pattern = /[*$%#<>{}!&?]/g;
   if (pattern.test(config.contentDir)) {
     cliux.print(`\nPlease add a directory path without any of the special characters: (*,&,{,},[,],$,%,<,>,?,!)`, {
       color: 'yellow',
     });
-    config.contentDir = await askContentDir();
+    config.contentDir = sanitizePath(await askContentDir());
   }
   config.contentDir = config.contentDir.replace(/['"]/g, '');
   config.contentDir = path.resolve(config.contentDir);

packages/contentstack-import/src/utils/logger.ts

@@ -140,7 +140,7 @@ function init(_logPath: string) {
 }
 
 export const log = async (config: ImportConfig, message: any, type: string) => {
-  config.cliLogsPath = config.cliLogsPath || config.data || path.join(__dirname, 'logs');
+  config.cliLogsPath = sanitizePath(config.cliLogsPath || config.data || path.join(__dirname, 'logs'));
   // ignoring the type argument, as we are not using it to create a logfile anymore
   if (type !== 'error') {
     // removed type argument from init method

packages/contentstack-utilities/src/helpers.ts

@@ -54,7 +54,13 @@ export const validatePath = (input: string) => {
 export const escapeRegExp = (str: string) => str?.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
 
 // To remove the relative path
-export const sanitizePath = (str: string) => str?.replace(/^(\.\.(\/|\\|$))+/, '');
+export const sanitizePath = (str: string) => {
+  const decodedStr = decodeURIComponent(str);
+  return decodedStr
+    ?.replace(/^([\/\\]){2,}/, "./") // Normalize leading slashes/backslashes to ''
+    .replace(/[\/\\]+/g, "/") // Replace multiple slashes/backslashes with a single '/'
+    .replace(/(\.\.(\/|\\|$))+/g, ""); // Remove directory traversal (../ or ..\)
+};
 
 // To validate the UIDs of assets
 export const validateUids = (uid) => /^[a-zA-Z0-9]+$/.test(uid);