Merge pull request #19293 from overleaf/jpa-issue-19290-2

[clsi] fix parsing of the requested file in symlink validation

GitOrigin-RevId: 86cfe8d62bb99ed6844faee0ff4af507e571e04d

services/clsi/app/js/StaticServerForbidSymlinks.js

@@ -25,9 +25,13 @@ module.exports = ForbidSymlinks = function (staticFn, root, options) {
     let file, projectId, result
     const path = req.url
     // check that the path is of the form /project_id_or_name/path/to/file.log
-    if ((result = path.match(/^\/?([a-zA-Z0-9_-]+)\/(.*)/))) {
+    if ((result = path.match(/^\/([a-zA-Z0-9_-]+)\/(.*)$/s))) {
       projectId = result[1]
       file = result[2]
+      if (path !== `/${projectId}/${file}`) {
+        logger.warn({ path }, 'unrecognized file request')
+        return res.sendStatus(404)
+      }
     } else {
       logger.warn({ path }, 'unrecognized file request')
       return res.sendStatus(404)

services/clsi/test/unit/js/StaticServerForbidSymlinksTests.js

@@ -94,6 +94,23 @@ describe('StaticServerForbidSymlinks', function () {
     })
   })
 
+  describe('with a new line', function () {
+    beforeEach(function () {
+      this.req.url = '/12345/output.pdf\nother file'
+      this.fs.realpath = sinon.stub().yields()
+    })
+
+    it('should process the correct file', function (done) {
+      this.res.sendStatus = () => {
+        this.fs.realpath.should.have.been.calledWith(
+          `${this.settings.path.compilesDir}/12345/output.pdf\nother file`
+        )
+        done()
+      }
+      this.StaticServerForbidSymlinks(this.req, this.res)
+    })
+  })
+
   describe('with a symlink file', function () {
     beforeEach(function () {
       return (this.fs.realpath = sinon