Security(Fixes): Prevent Reflected XSS, Path Traversal, and shell Injection Vulnerabilities

---

Description

This pull request strengthens the security of the mongodb-js/mongosh codebase by addressing multiple vulnerabilities identified in different modules.
The fixes include preventing reflected cross-site scripting (XSS), path traversal, and command injection risks caused by unsafe handling of user input and shell arguments.
Each modification follows secure coding best practices and introduces minimal functional impact while enhancing overall robustness.

---

Summary of Fixes

Reflected XSS Mitigation in config.spec.ts

File: packages/build/src/download-center/config.spec.ts
Location: Line 61

Issue:
User input (req.url) was being written directly to the HTTP response using res.end(req.url);, making the application vulnerable to reflected cross-site scripting (XSS).
A malicious actor could craft a specially formed URL containing HTML or JavaScript, which would be reflected back and executed in a victim's browser.

Fix:

• Imported the escape-html library.

• Sanitized all user-controlled output before sending it in HTTP responses.

• Replaced the unsafe line:
  res.end(req.url);
  with:
  res.end(escape(req.url));

This ensures all HTML-sensitive characters are encoded safely before being returned in the response.

Impact:
Prevents reflected XSS attacks while preserving the intended functionality of the HTTP handler.

---

Path Traversal Prevention in snippet-manager.spec.ts

File: packages/snippet-manager/src/snippet-manager.spec.ts
Location: Lines 175-178

Issue:
File paths were being constructed using unvalidated user input (req.url) via:

path.join(__dirname, '..', 'test', 'fixtures', '.' + req.url)

This approach allowed potential directory traversal, enabling access to files outside the intended fixtures directory if crafted paths such as ../../ were provided.

Fix:

• Introduced a strict validation check using path.resolve() and prefix comparison.

• Ensured that only paths within the intended fixtures root are served.

• Updated the file path construction to:

{{const fixturesRoot = path.resolve(__dirname, '..', 'test', 'fixtures');
const requestedPath = path.resolve(fixturesRoot, '.' + req.url);
if (!requestedPath.startsWith(fixturesRoot + path.sep)) {
res.writeHead(403,

{ 'Content-Type': 'text/plain' }

);
res.end('Forbidden');
return;
}
const source = createReadStream(requestedPath);}}

Additional Adjustments:

• Declared fixturesRoot once outside the request handler for reuse.

• Applied consistent error handling for invalid paths (returns HTTP 403).

Impact:
Eliminates directory traversal risks and ensures that only authorized fixture files can be accessed or read during test operations.

---

Shell Command Injection Prevention in editor.ts

The code dynamically constructed a shell command with:

spawn(editor, [path.basename(tmpDoc)], { shell: true, ... });

When shell: true is enabled, unescaped input in the command arguments can lead to shell injection, where special characters in the file name could alter the executed command or inject arbitrary commands.

Fix:

• Imported the shell-quote module for secure shell argument escaping.

• Escaped the filename argument before passing it to spawn.

• Updated the code to:

{{const shellQuote = require('shell-quote');
spawn(editor, [shellQuote.quote([path.basename(tmpDoc)])], { shell: true, ... });}}
Alternatively, to quote both command and arguments:

spawn(shellQuote.quote([editor, path.basename(tmpDoc)]), { shell: true, ... });

Impact:
Prevents command injection while preserving the expected shell command behavior.
All user-influenced paths and arguments are now properly escaped before execution.

---

Security Impact

These changes address critical security concerns in different modules of the project:

These mitigations significantly reduce attack surfaces by enforcing input validation, encoding, and secure shell handling.

---

Technical References

• escape-html NPM

• shell-quote NPM

• CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting)

• CWE-22: Improper Limitation of a Pathname to a Restricted Directory

• CWE-78: Improper Neutralization of Special Elements Used in an OS Command

---

This request fixes enhances the security of the mongodb-js/mongosh codebase by addressing multiple vulnerabilities identified across core modules.
Specifically, it mitigates reflected XSS, path traversal, and shell injection risks caused by unsanitized user inputs and unescaped command arguments.

The fixes include:

• Escaping user-controlled values before sending them in HTTP responses (escape-html),

• Validating and constraining file paths to a safe root directory (path.resolve checks), and

• Properly quoting shell arguments using shell-quote when spawning commands.

These improvements ensure safer handling of input data, prevent unintended file system or command access, and strengthen overall runtime integrity — all without altering core functionality.