Skip to content

[Security] Dynamic import() in translation manager accepts unsanitized language codes — path traversal risk #719

Description

@RUKAYAT-CODER

Overview

src/locales/translationManager.ts line 30 performs await import(\./\.json\) where language comes directly from user-supplied input. An attacker can pass ../../lib/secrets as the language code and potentially load arbitrary modules or files on the server.

Specifications

Features:

  • Language codes are validated against a strict allowlist before any dynamic import
  • Unsupported language codes fall back to English without performing the import

Tasks:

  • Before the dynamic import, validate: if (!SUPPORTED_LANGUAGES.includes(language)) { language = DEFAULT_LANGUAGE; }
  • Ensure SUPPORTED_LANGUAGES is an exhaustive array of ISO 639-1 codes
  • Add a test asserting that a path-traversal string like ../../etc/passwd falls back to English
  • Consider using a static import map instead of dynamic imports

Impacted Files:

  • src/locales/translationManager.ts
  • src/locales/config.ts

Acceptance Criteria

  • Language codes not in SUPPORTED_LANGUAGES do not trigger a dynamic import
  • Path traversal strings are rejected before any file system access
  • Fallback to English occurs gracefully for unsupported locales

Metadata

Metadata

Assignees

Labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions