amplify-security · amplify-lab · Dec 12, 2024 · amplify-lab · Dec 12, 2024 · amplify-lab
diff --git a/routes/dataErasure.ts b/routes/dataErasure.ts
@@ -66,7 +66,8 @@ router.post('/', async (req: Request<{}, {}, DataErasureRequestParams>, res: Res
 
     res.clearCookie('token')
     if (req.body.layout !== undefined) {
-      const filePath: string = path.resolve(req.body.layout).toLowerCase()
+      const sanitizedLayout: string = path.basename(req.body.layout)
+      const filePath: string = path.resolve('allowed_directory', sanitizedLayout).toLowerCase()
       const isForbiddenFile: boolean = (filePath.includes('ftp') || filePath.includes('ctf.key') || filePath.includes('encryptionkeys'))
       if (!isForbiddenFile) {
         res.render('dataErasureResult', {