Skip to content

security: validate language codes before dynamic import to prevent path traversal#874

Open
smartalee wants to merge 1 commit into
rinafcode:mainfrom
smartalee:security/i18n-path-traversal-clean
Open

security: validate language codes before dynamic import to prevent path traversal#874
smartalee wants to merge 1 commit into
rinafcode:mainfrom
smartalee:security/i18n-path-traversal-clean

Conversation

@smartalee

Copy link
Copy Markdown

Summary

Fixes path traversal vulnerability in the translation manager by validating language codes against an allowlist before dynamic import.

Changes

  • Added validation against SUPPORTED_LANGUAGES before await import()
  • Path traversal strings like ../../etc/passwd are rejected
  • Unsupported language codes fall back to English gracefully
  • Added security tests for path traversal prevention

Security

  • Prevents attackers from loading arbitrary files via language parameter
  • SUPPORTED_LANGUAGES is the single source of truth for allowed locales
  • Invalid language codes never reach the dynamic import

Closes #719

…th traversal

- Add validation against SUPPORTED_LANGUAGES allowlist before dynamic import
- Reject path traversal strings like ../../lib/secrets
- Fall back to English for unsupported language codes
- Add security tests for path traversal prevention

Closes rinafcode#719
@RUKAYAT-CODER

Copy link
Copy Markdown
Contributor

Great job so far

There’s just one blocker — merge conflict. Could you take a look and resolve it?

Happy to review again once that’s done.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Security] Dynamic import() in translation manager accepts unsanitized language codes — path traversal risk

2 participants