refactor(security): share safe temp media path builder (#20810)

Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: 7a088e6801 Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com> Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com> Reviewed-by: @mbelinky
2026-04-03 03:03:24 -04:00 · 2026-02-19 09:59:21 +00:00
parent ee1d6427b5
commit a7c0aa94d9
6 changed files with 78 additions and 13 deletions
--- a/src/line/download.ts
+++ b/src/line/download.ts
@@ -1,9 +1,7 @@
-import crypto from "node:crypto";
 import fs from "node:fs";
-import os from "node:os";
-import path from "node:path";
 import { messagingApi } from "@line/bot-sdk";
 import { logVerbose } from "../globals.js";
+import { buildRandomTempFilePath } from "../plugin-sdk/temp-path.js";

 interface DownloadResult {
  path: string;
@@ -11,10 +9,6 @@ interface DownloadResult {
  size: number;
 }

-function buildLineTempMediaPath(extension: string): string {
-  return path.join(os.tmpdir(), `line-media-${Date.now()}-${crypto.randomUUID()}${extension}`);
-}
-
 export async function downloadLineMedia(
  messageId: string,
  channelAccessToken: string,
@@ -45,7 +39,7 @@ export async function downloadLineMedia(
  const ext = getExtensionForContentType(contentType);

  // Use random temp names; never derive paths from external message identifiers.
-  const filePath = buildLineTempMediaPath(ext);
+  const filePath = buildRandomTempFilePath({ prefix: "line-media", extension: ext });

  await fs.promises.writeFile(filePath, buffer);

--- a/src/plugin-sdk/index.ts
+++ b/src/plugin-sdk/index.ts
@@ -154,6 +154,7 @@ export { extractToolSend } from "./tool-send.js";
 export { resolveChannelAccountConfigBasePath } from "./config-paths.js";
 export { chunkTextForOutbound } from "./text-chunking.js";
 export { readJsonFileWithFallback, writeJsonFileAtomically } from "./json-store.js";
+export { buildRandomTempFilePath } from "./temp-path.js";
 export type { ChatType } from "../channels/chat-type.js";
 /** @deprecated Use ChatType instead */
 export type { RoutePeerKind } from "../routing/resolve-route.js";
--- a/src/plugin-sdk/temp-path.test.ts
+++ b/src/plugin-sdk/temp-path.test.ts
@@ -0,0 +1,32 @@
+import os from "node:os";
+import path from "node:path";
+import { describe, expect, it } from "vitest";
+import { buildRandomTempFilePath } from "./temp-path.js";
+
+describe("buildRandomTempFilePath", () => {
+  it("builds deterministic paths when now/uuid are provided", () => {
+    const result = buildRandomTempFilePath({
+      prefix: "line-media",
+      extension: ".jpg",
+      tmpDir: "/tmp",
+      now: 123,
+      uuid: "abc",
+    });
+    expect(result).toBe(path.join("/tmp", "line-media-123-abc.jpg"));
+  });
+
+  it("sanitizes prefix and extension to avoid path traversal segments", () => {
+    const result = buildRandomTempFilePath({
+      prefix: "../../line/../media",
+      extension: "/../.jpg",
+      now: 123,
+      uuid: "abc",
+    });
+    const tmpRoot = path.resolve(os.tmpdir());
+    const resolved = path.resolve(result);
+    const rel = path.relative(tmpRoot, resolved);
+    expect(rel === ".." || rel.startsWith(`..${path.sep}`)).toBe(false);
+    expect(path.basename(result)).toBe("line-media-123-abc.jpg");
+    expect(result).not.toContain("..");
+  });
+});
--- a/src/plugin-sdk/temp-path.ts
+++ b/src/plugin-sdk/temp-path.ts
@@ -0,0 +1,39 @@
+import crypto from "node:crypto";
+import os from "node:os";
+import path from "node:path";
+
+function sanitizePrefix(prefix: string): string {
+  const normalized = prefix.replace(/[^a-zA-Z0-9_-]+/g, "-").replace(/^-+|-+$/g, "");
+  return normalized || "tmp";
+}
+
+function sanitizeExtension(extension?: string): string {
+  if (!extension) {
+    return "";
+  }
+  const normalized = extension.startsWith(".") ? extension : `.${extension}`;
+  const suffix = normalized.match(/[a-zA-Z0-9._-]+$/)?.[0] ?? "";
+  const token = suffix.replace(/^[._-]+/, "");
+  if (!token) {
+    return "";
+  }
+  return `.${token}`;
+}
+
+export function buildRandomTempFilePath(params: {
+  prefix: string;
+  extension?: string;
+  tmpDir?: string;
+  now?: number;
+  uuid?: string;
+}): string {
+  const prefix = sanitizePrefix(params.prefix);
+  const extension = sanitizeExtension(params.extension);
+  const nowCandidate = params.now;
+  const now =
+    typeof nowCandidate === "number" && Number.isFinite(nowCandidate)
+      ? Math.trunc(nowCandidate)
+      : Date.now();
+  const uuid = params.uuid?.trim() || crypto.randomUUID();
+  return path.join(params.tmpDir ?? os.tmpdir(), `${prefix}-${now}-${uuid}${extension}`);
+}