From 0d0ccdcbf147046959d147c7a6fdcbf15f78d2e3 Mon Sep 17 00:00:00 2001
From: "amplify-lab[bot]" <136653172+amplify-lab[bot]@users.noreply.github.com>
Date: Thu, 12 Dec 2024 15:01:36 +0000
Subject: [PATCH] Fix - Code fix for CWE-22 accepted

Automated code fix by Amplify Security accepted by lae@lae.is
---
 routes/dataErasure.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/routes/dataErasure.ts b/routes/dataErasure.ts
index 9f61a2aa4d2..6f7b6e0d67d 100644
--- a/routes/dataErasure.ts
+++ b/routes/dataErasure.ts
@@ -66,7 +66,8 @@ router.post('/', async (req: Request<{}, {}, DataErasureRequestParams>, res: Res
 
     res.clearCookie('token')
     if (req.body.layout !== undefined) {
-      const filePath: string = path.resolve(req.body.layout).toLowerCase()
+      const sanitizedLayout: string = path.basename(req.body.layout)
+      const filePath: string = path.resolve('allowed_directory', sanitizedLayout).toLowerCase()
       const isForbiddenFile: boolean = (filePath.includes('ftp') || filePath.includes('ctf.key') || filePath.includes('encryptionkeys'))
       if (!isForbiddenFile) {
         res.render('dataErasureResult', {