feat: file path validation (#636)

### Description Add file path validation for FileSystemRegistry. This implementation validates paths provided to the registry by checking for invalid characters, ensuring URL-like paths use the `file:// protocol`, and detecting null bytes that could be used in path traversal attacks. The validation throws a clear error message when invalid paths are detected, preventing potential runtime errors or security issues. ### Backward compatibility Yes - This change is backward compatible as it only adds validation to reject invalid paths that would likely cause errors during operation anyway. Valid paths will continue to work as before. ### Testing The validation function has been manually tested with various path formats to ensure proper rejection of invalid paths and acceptance of valid ones. The implementation works correctly with existing registry functionality.
hyperlane-xyz · Mar 7, 2025 · 10d02e5 · 10d02e5
1 parent df909ee
commit 10d02e5
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 1 deletion.
diff --git a/.changeset/tiny-kiwis-admire.md b/.changeset/tiny-kiwis-admire.md
@@ -0,0 +1,5 @@
+---
+'@hyperlane-xyz/registry': minor
+---
+
+Add file path string validation
diff --git a/src/registry/registry-utils.ts b/src/registry/registry-utils.ts
@@ -19,6 +19,31 @@ const isCanonicalRepoUrl = (url: string): boolean => {
   return url === DEFAULT_GITHUB_REGISTRY;
 };
 
+const isValidFilePath = (path: string): boolean => {
+  try {
+    // Check for control characters (0-31) and DEL (127) without using regex
+    const hasControlChars = Array.from(path).some((char) => {
+      const code = char.charCodeAt(0);
+      return (code >= 0 && code <= 31) || code === 127;
+    });
+    if (hasControlChars) return false;
+
+    // For paths with protocol, validate they're file:// protocol
+    if (path.includes('://')) {
+      try {
+        const url = new URL(path);
+        return url.protocol === 'file:';
+      } catch {
+        return false;
+      }
+    }
+
+    return true;
+  } catch {
+    return false;
+  }
+};
+
 export function getRegistry(
   registryUris: string[],
   enableProxy: boolean,
@@ -39,8 +64,15 @@ export function getRegistry(
           proxyUrl: enableProxy && isCanonicalRepoUrl(uri) ? PROXY_DEPLOYED_URL : undefined,
         });
       } else {
+        if (!isValidFilePath(uri)) {
+          throw new Error(`Invalid file system path: ${uri}`);
+        }
+
+        // Extract path from file:// URL if needed
+        const fsPath = uri.includes('://') ? new URL(uri).pathname : uri;
+
         return new FileSystemRegistry({
-          uri,
+          uri: fsPath,
           logger: childLogger,
         });
       }