Summary

resolveDefaultAuthDir() in src/web/accounts.ts uses the accountId parameter directly in path.join() without sanitization, allowing potential path traversal attacks.

Vulnerable Code

// src/web/accounts.ts line 88-90
function resolveDefaultAuthDir(accountId: string): string {
  return path.join(resolveOAuthDir(), "whatsapp", accountId);
  // ^^^ accountId used directly without sanitization
}

Attack Vector

A malicious config with accountId: "../../../etc" could escape the intended directory structure. While this is config-level input (not user input), it's risky for:

• Multi-user deployments
• Shared configs
• Plugin systems that might pass untrusted account IDs

Recommended Fix

Sanitize accountId similar to how Telegram does it in src/telegram/update-offset-store.ts:

function normalizeAccountId(accountId: string): string {
  const trimmed = accountId.trim();
  if (!trimmed) return "default";
  return trimmed.replace(/[^a-z0-9._-]+/gi, "_");
}

function resolveDefaultAuthDir(accountId: string): string {
  return path.join(resolveOAuthDir(), "whatsapp", normalizeAccountId(accountId));
}

Severity

Low-Medium: Config-level input, but defense-in-depth principle suggests sanitization.

Related

• Similar pattern already used in src/telegram/update-offset-store.ts:15-18
• PR Security: SSRF, path traversal, shell injection, and rate limiting protections #2580 covers path traversal in media, but not this location