codeql

src/serve_style.js

@@ -122,8 +122,9 @@ export const serve_style = {
           );
         return res.sendStatus(404);
       }
-      const spriteScale = allowedSpriteScales(scale);
+
       const sprite = item.spritePaths.find((sprite) => sprite.id === spriteID);
+      const spriteScale = allowedSpriteScales(scale);
       if (!sprite || spriteScale === null) {
         if (verbose)
           console.error(
@@ -136,7 +137,9 @@ export const serve_style = {
         return res.status(400).send('Bad Sprite ID or Scale');
       }
 
-      const filename = `${sprite.path}${spriteScale}.${validatedFormat}`;
+      const sanitizedSpritePath = sprite.path.replace(/^(\.\.\/)+/, '');
+
+      const filename = `${sanitizedSpritePath}${spriteScale}.${validatedFormat}`;
       if (verbose) console.log(`Loading sprite from: %s`, filename);
 
       // eslint-disable-next-line security/detect-non-literal-fs-filename
@@ -151,9 +154,9 @@ export const serve_style = {
           return res.sendStatus(404);
         }
 
-        if (format === 'json') {
+        if (validatedFormat === 'json') {
           res.header('Content-type', 'application/json');
-        } else if (format === 'png') {
+        } else if (validatedFormat === 'png') {
           res.header('Content-type', 'image/png');
         }
         if (verbose)

src/utils.js

@@ -196,19 +196,29 @@ export function fixTileJSONCenter(tileJSON) {
  */
 function getFontPbf(allowedFonts, fontPath, name, range, fallbacks) {
   return new Promise((resolve, reject) => {
-    const fontMatch = name?.match(/^[\w\s-]+$/);
-    if (!name || typeof name !== 'string' || name.trim() === '' || !fontMatch) {
-      console.error('ERROR: Invalid font name: %s', 'invalid');
-      return reject('Invalid font name');
-    }
-    const sanitizedName = fontMatch[0];
-    const filename = path.join(fontPath, sanitizedName, `${range}.pbf`);
-
-    if (!/^\d+-\d+$/.test(range)) {
-      console.error('ERROR: Invalid range: %s', range);
-      return reject('Invalid range');
-    }
     if (!allowedFonts || (allowedFonts[name] && fallbacks)) {
+      const fontMatch = name?.match(/^[\w\s-]+$/);
+      if (
+        !name ||
+        typeof name !== 'string' ||
+        name.trim() === '' ||
+        !fontMatch
+      ) {
+        console.error('ERROR: Invalid font name: %s', 'invalid');
+        return reject('Invalid font name');
+      }
+      const sanitizedName = fontMatch[0];
+      console.error('ERROR: Invalid font name: %s', sanitizedName);
+      if (!/^\d+-\d+$/.test(range)) {
+        console.error('ERROR: Invalid range: %s', range);
+        return reject('Invalid range');
+      }
+      const sanitizedFontPath = fontPath.replace(/^(\.\.\/)+/, '');
+      const filename = path.join(
+        sanitizedFontPath,
+        sanitizedName,
+        `${range}.pbf`,
+      );
       if (!fallbacks) {
         fallbacks = clone(allowedFonts || {});
       }
@@ -224,7 +234,7 @@ function getFontPbf(allowedFonts, fontPath, name, range, fallbacks) {
           if (fallbacks && Object.keys(fallbacks).length) {
             let fallbackName;
 
-            let fontStyle = sanitizedName.split(' ').pop();
+            let fontStyle = name.split(' ').pop();
             if (['Regular', 'Bold', 'Italic'].indexOf(fontStyle) < 0) {
               fontStyle = 'Regular';
             }
@@ -235,6 +245,7 @@ function getFontPbf(allowedFonts, fontPath, name, range, fallbacks) {
                 fallbackName = Object.keys(fallbacks)[0];
               }
             }
+
             console.error(
               `ERROR: Trying to use %s as a fallback for: %s`,
               fallbackName,