Fixed-illegal-urlpassing-as-param

[ShivamAher30]

Issue #120: Path Traversal Vulnerability via Illegal URL Destination Parameter

Problem: Normally, when passing the destination parameter, a file is downloaded. However, if characters like ../ are added and passed as a parameter after URL encoding, it enables access to files outside of the directory. For instance, the string ../test/jest-e2e.json, when URL encoded, can be passed as the destination parameter: localhost:3000/files/download/..%2Ftest%2Fjest-e2e.json. This results in the file being served as a response, potentially exposing sensitive information.

How to Recreate:

1. Pass a URL-encoded string containing ../ as the destination parameter.
2. Access the corresponding endpoint, for example: localhost:3000/files/download/..%2Ftest%2Fjest-e2e.json.
3. The content of the jest-e2e.json file is served as a response, revealing potentially sensitive data.

Solution: To mitigate this vulnerability, we need to validate the destination parameter to ensure it does not contain any illegal characters or patterns that could lead to path traversal attacks. We can achieve this by implementing server-side validation and rejecting requests with invalid destination parameters.

Changes:

1. Implement validation checks for the destination parameter in the affected endpoint handler controller.
2. If the destination parameter contains illegal characters or patterns indicative of path traversal attempts, return an appropriate error response and do not serve the requested file.

Test Cases

Allowed Test Cases: The following folder structure and test cases are considered safe:

1. new.txt
2. demo.c
3. new1232.js

Rejected Test Cases: Requests attempting to access ../.env after URL encoding, which may leak information stored in the .env file, are rejected: