Summary of Fixes

Detailed Jira Ticket 🎟MONGOSH-2914

• packages/build/src/download-center/config.spec.ts

User input (req.url) was being written directly to the HTTP response using res.end(req.url);, making the application vulnerable to reflected cross-site scripting (XSS). A malicious actor could craft a specially formed URL containing HTML or JavaScript, which would be reflected back and executed in a victim’s browser.

Fix:

• Imported the escape-html library.
• Sanitized all user-controlled output before sending it in HTTP responses.

This ensures all HTML-sensitive characters are encoded safely before being returned in the response.
Prevents reflected XSS attacks while preserving the intended functionality of the HTTP handler.

• packages/snippet-manager/src/snippet-manager.spec.ts

File paths were being constructed using unvalidated user input (req.url) via:

path.join(__dirname, '..', 'test', 'fixtures', '.' + req.url)

This approach allowed potential directory traversal, enabling access to files outside the intended fixtures directory if crafted paths such as ../../ were provided.

• Introduced a strict validation check using path.resolve() and prefix comparison.

• Ensured that only paths within the intended fixtures root are served.

• Updated the file path construction to:

  const fixturesRoot = path.resolve(__dirname, '..', 'test', 'fixtures');
  const requestedPath = path.resolve(fixturesRoot, '.' + req.url);
  if (!requestedPath.startsWith(fixturesRoot + path.sep)) {
    res.writeHead(403, { 'Content-Type': 'text/plain' });
    res.end('Forbidden');
    return;
  }
  const source = createReadStream(requestedPath);

Additional Adjustments:

• Declared fixturesRoot once outside the request handler for reuse.
• Applied consistent error handling for invalid paths (returns HTTP 403).

Eliminates directory traversal risks and ensures that only authorized fixture files can be accessed or read during test operations.

• packages/editor/src/editor.ts

The code dynamically constructed a shell command with:

spawn(editor, [path.basename(tmpDoc)], { shell: true, ... });

When shell: true is enabled, unescaped input in the command arguments can lead to shell injection, where special characters in the file name could alter the executed command or inject arbitrary commands.

Fix:

• Imported the shell-quote module for secure shell argument escaping.

• Escaped the filename argument before passing it to spawn.

• Updated the code to:

  const shellQuote = require('shell-quote');
  spawn(editor, [shellQuote.quote([path.basename(tmpDoc)])], { shell: true, ... });

  Alternatively, to quote both command and arguments:

  spawn(shellQuote.quote([editor, path.basename(tmpDoc)]), { shell: true, ... });

Prevents command injection while preserving the expected shell command behavior.
All user-influenced paths and arguments are now properly escaped before execution.
This fixes request improves the overall security posture of mongosh by introducing:

• Proper HTML escaping to mitigate XSS,
• Safe file path resolution to prevent directory traversal,
• And shell argument sanitization to prevent command injection.