Add validateEndpoint method to block side effects from relative path …

…and query param
initia-labs · Nov 8, 2024 · 87eb5d4 · 87eb5d4
1 parent 2c9d331
commit 87eb5d4
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/src/client/rest/APIRequester.ts b/src/client/rest/APIRequester.ts
@@ -40,6 +40,16 @@ export class APIRequester {
     })
   }
 
+  private validateEndpoint(endpoint: string) {
+    if (endpoint.includes('../')) {
+      throw new Error('Relative path not allowed')
+    }
+
+    if (endpoint.includes('?')) {
+      throw new Error('Query param not allowed')
+    }
+  }
+
   private computeEndpoint(endpoint: string) {
     const url = new URL(this.baseURL)
 
@@ -54,6 +64,7 @@ export class APIRequester {
     endpoint: string,
     params: URLSearchParams | APIParams = {}
   ): Promise<T> {
+    this.validateEndpoint(endpoint)
     const url = this.computeEndpoint(endpoint)
     return this.axios.get(url, { params }).then((d) => d.data)
   }
@@ -63,11 +74,13 @@ export class APIRequester {
     params: URLSearchParams | APIParams = {},
     headers: AxiosHeaders = new AxiosHeaders()
   ): Promise<T> {
+    this.validateEndpoint(endpoint)
     const url = this.computeEndpoint(endpoint)
     return this.axios.get(url, { params, headers }).then((d) => d.data)
   }
 
   public async post<T>(endpoint: string, data?: any): Promise<T> {
+    this.validateEndpoint(endpoint)
     const url = this.computeEndpoint(endpoint)
     return this.axios.post(url, data).then((d) => d.data)
   }