security: detect encoded path traversal specifiers

Author: unadlib

packages/security/src/index.ts

@@ -383,7 +383,7 @@ export class DefaultSecurityChecker implements SecurityChecker {
     const issues: string[] = [];
     const diagnostics: RuntimeDiagnostic[] = [];
 
-    if (specifier.includes("..")) {
+    if (this.hasPathTraversalSequence(specifier)) {
       issues.push(
         `Path traversal is not allowed in module specifier: ${specifier}`,
       );
@@ -767,6 +767,43 @@ export class DefaultSecurityChecker implements SecurityChecker {
       return false;
     }
   }
+
+  private hasPathTraversalSequence(specifier: string): boolean {
+    if (specifier.includes("..")) {
+      return true;
+    }
+
+    for (const decoded of this.decodeSpecifierVariants(specifier)) {
+      if (decoded.includes("..")) {
+        return true;
+      }
+    }
+
+    return false;
+  }
+
+  private decodeSpecifierVariants(specifier: string): string[] {
+    const variants: string[] = [];
+    let current = specifier;
+
+    for (let i = 0; i < 2; i += 1) {
+      let decoded: string;
+      try {
+        decoded = decodeURIComponent(current);
+      } catch {
+        break;
+      }
+
+      if (decoded === current) {
+        break;
+      }
+
+      variants.push(decoded);
+      current = decoded;
+    }
+
+    return variants;
+  }
 }
 
 function clonePolicy(policy: RuntimeSecurityPolicy): RuntimeSecurityPolicy {

tests/security.test.ts

@@ -69,6 +69,30 @@ test("security checker allows allowed JSPM module specifiers", async () => {
   assert.equal(moduleResult.issues.length, 0);
 });
 
+test("security checker blocks encoded path traversal module specifiers", async () => {
+  const checker = new DefaultSecurityChecker();
+  checker.initialize();
+
+  const encodedLowerResult = checker.checkModuleSpecifier(
+    "https://ga.jspm.io/%2e%2e/escape.js",
+  );
+  const encodedUpperResult = checker.checkModuleSpecifier(
+    "https://ga.jspm.io/%2E%2E/escape.js",
+  );
+  const doubleEncodedResult = checker.checkModuleSpecifier(
+    "https://ga.jspm.io/%252e%252e/escape.js",
+  );
+
+  assert.equal(encodedLowerResult.safe, false);
+  assert.equal(encodedUpperResult.safe, false);
+  assert.equal(doubleEncodedResult.safe, false);
+  assert.ok(
+    encodedLowerResult.issues.some((issue) =>
+      issue.includes("Path traversal is not allowed"),
+    ),
+  );
+});
+
 test("security checker blocks unsafe state action paths", async () => {
   const checker = new DefaultSecurityChecker();
   checker.initialize();