security: hardening for 2.6.4

- Refuse to build filesystem paths when lng/ns contains .., path
  separators, control chars, prototype keys, or > 128 chars
  (CWE-22). Prevents arbitrary filesystem read/write via
  attacker-controlled language-code values.
- Document the trust model in a new "Security considerations"
  README section — especially that .js/.ts locale files are eval'd
  and must be treated as code.
- Ignore .env*, *.pem, *.key in .gitignore.

The .js/.ts eval behaviour itself is retained as an intentional
feature; safe sync replacements don't exist for it.

GHSA advisory to be filed after release.

Author: adrai

.gitignore

@@ -3,4 +3,11 @@ node_modules
 package-lock.json
 cjs
 esm
-deno.lock
+deno.lock
+
+# Secrets & credentials
+.env
+.env.*
+!.env.example
+*.pem
+*.key

CHANGELOG.md

@@ -1,3 +1,11 @@
+### 2.6.4
+
+Security release — all issues found via an internal audit. GHSA advisory filed after release.
+
+- security: refuse to build filesystem paths when `lng` or `ns` values contain `..`, path separators (`/`, `\`), control characters, prototype keys (`__proto__` / `constructor` / `prototype`), or exceed 128 chars. Prevents arbitrary filesystem read / write via attacker-controlled language-code values. Any legitimate i18next language-code shape (BCP-47-like, underscores, hyphens, dots, `+`-joined multi-language requests) is still accepted (GHSA-TBD)
+- docs: new "Security considerations" README section — documents the filesystem-path sanitiser and clarifies the trust model around `.js`/`.ts` locale files (their content is `eval`-ed, so they must be treated as code). The `eval` behaviour itself is retained: dynamic expressions in `.js`/`.ts` locale files are an intentional feature, and safe replacements like `import()` are async-only and not viable for this sync-capable code path.
+- chore: ignore `.env*` and `*.pem`/`*.key` files in `.gitignore`.
+
 ### 2.6.3
 
 - use own interpolation function instead of relying on i18next's interpolator

README.md

@@ -137,6 +137,55 @@ i18next
   })
 ```
 
+## Security considerations
+
+### Language / namespace values reach the filesystem
+
+`i18next-fs-backend` substitutes the `lng` and `ns` options into the
+configured `loadPath` / `addPath` templates and reads / writes the resulting
+file. If those values come from an untrusted source (HTTP query string,
+cookie, request header), a crafted value could break out of the intended
+locale directory and read or overwrite files elsewhere on disk.
+
+Since **2.6.4**, values containing `..`, `/`, `\`, control characters,
+prototype keys (`__proto__`, `constructor`, `prototype`), or longer than
+128 characters are rejected — the backend refuses to build the filesystem
+path and returns an error to the caller. Any legitimate i18next
+language-code shape (BCP-47, underscores, dots, `+`-joined multi-language
+requests) is still accepted.
+
+This is a defence-in-depth layer. It does **not** replace the usual
+responsibility to validate `lng` / `ns` at your application boundary —
+especially when either comes from user input.
+
+### `.js` / `.ts` locale files are executed via `eval`
+
+The backend supports loading translation data from `.js` and `.ts` files by
+`eval`-ing their content. This is an intentional feature — it allows
+expressions, comments, and module-style default exports in locale files —
+but it carries a real trust requirement:
+
+> **Treat every `.js` / `.ts` locale file as code that will run with the
+> full privileges of your Node process**, including access to
+> `process.env`, the filesystem, and the network.
+
+Concretely that means:
+
+- Never load `.js` / `.ts` locale files from an untrusted or writable
+  source (user uploads, compromised CDN, shared-mount drops).
+- If your build / deploy pipeline produces locale files, secure the
+  pipeline the same way you would secure any code-producing pipeline
+  (signed commits, reviewed merges, protected branches).
+- Prefer **JSON / JSON5 / YAML / JSONC** for locale files whenever you
+  don't need expression-level dynamism — those formats are parsed, not
+  executed.
+
+### Reporting a vulnerability
+
+Please **do not** open a public GitHub issue for security problems. Send
+reports privately via the [GitHub Security Advisories](https://github.com/i18next/i18next-fs-backend/security/advisories/new)
+flow on the repository.
+
 ---
 
 <h3 align="center">Gold Sponsors</h3>

lib/index.js

@@ -1,4 +1,4 @@
-import { defaults, debounce, getPath, setPath, pushPath, interpolate } from './utils.js'
+import { defaults, debounce, getPath, setPath, pushPath, interpolatePath } from './utils.js'
 import { readFile, readFileSync } from './readFile.js'
 import { writeFile, removeFile } from './writeFile.js'
 
@@ -35,7 +35,10 @@ class Backend {
     if (typeof this.options.loadPath === 'function') {
       loadPath = this.options.loadPath(language, namespace)
     }
-    const filename = interpolate(loadPath, { lng: language, ns: namespace })
+    const filename = interpolatePath(loadPath, { lng: language, ns: namespace })
+    if (filename == null) {
+      return callback(new Error('i18next-fs-backend: unsafe lng/ns value — refusing to build filesystem path'), false)
+    }
     if (this.allOptions.initAsync === false || this.allOptions.initImmediate === false) {
       try {
         const { data, stat } = readFileSync(filename, this.options)
@@ -98,7 +101,8 @@ class Backend {
     if (typeof this.options.addPath === 'function') {
       addPath = this.options.addPath(language, namespace)
     }
-    const filename = interpolate(addPath, { lng: language, ns: namespace })
+    const filename = interpolatePath(addPath, { lng: language, ns: namespace })
+    if (filename == null) return
     removeFile(filename, this.options)
       .then(() => {})
       .catch(() => {})
@@ -124,7 +128,13 @@ class Backend {
       addPath = this.options.addPath(lng, namespace)
     }
 
-    const filename = interpolate(addPath, { lng, ns: namespace })
+    const filename = interpolatePath(addPath, { lng, ns: namespace })
+    if (filename == null) {
+      // drop unsafe queued writes silently — attempting to persist them
+      // would either fail or (worse) land in an unexpected filesystem location
+      setPath(this.queuedWrites, [lng, namespace], [])
+      return
+    }
 
     const missings = getPath(this.queuedWrites, [lng, namespace])
     setPath(this.queuedWrites, [lng, namespace], [])

lib/utils.js

@@ -2,17 +2,37 @@ const arr = []
 const each = arr.forEach
 const slice = arr.slice
 
+const UNSAFE_KEYS = ['__proto__', 'constructor', 'prototype']
+
 export function defaults (obj) {
   each.call(slice.call(arguments, 1), (source) => {
     if (source) {
-      for (const prop in source) {
+      for (const prop of Object.keys(source)) {
+        if (UNSAFE_KEYS.indexOf(prop) > -1) continue
         if (obj[prop] === undefined) obj[prop] = source[prop]
       }
     }
   })
   return obj
 }
 
+// Returns true if `v` can be safely interpolated into a filesystem path.
+// Denylist approach — i18next permits arbitrary language-code shapes
+// (https://www.i18next.com/how-to/faq#how-should-the-language-codes-be-formatted)
+// so we only block the concrete attack patterns: path traversal, path
+// separators (so attacker cannot break out of the locale directory),
+// control characters, prototype keys, and oversized inputs.
+export function isSafePathSegment (v) {
+  if (typeof v !== 'string') return false
+  if (v.length === 0 || v.length > 128) return false
+  if (UNSAFE_KEYS.indexOf(v) > -1) return false
+  if (v.indexOf('..') > -1) return false
+  if (v.indexOf('/') > -1 || v.indexOf('\\') > -1) return false
+  // eslint-disable-next-line no-control-regex
+  if (/[\x00-\x1F\x7F]/.test(v)) return false
+  return true
+}
+
 export function debounce (func, wait, immediate) {
   let timeout
   return function () {
@@ -72,7 +92,32 @@ export function getPath (object, path) {
 const interpolationRegexp = /\{\{(.+?)\}\}/g
 export function interpolate (str, data) {
   return str.replace(interpolationRegexp, (match, key) => {
-    const value = data[key.trim()]
+    const k = key.trim()
+    if (UNSAFE_KEYS.indexOf(k) > -1) return match
+    const value = data[k]
     return value != null ? value : match
   })
 }
+
+// Path-specific variant: reject values that fail the path-segment safety
+// check. Returns `null` if any substitution is unsafe — callers should bail
+// out cleanly rather than issue the filesystem read/write. For multi-value
+// joins (`en+de`), validates each `+`-separated segment independently.
+export function interpolatePath (str, data) {
+  let unsafe = false
+  const result = str.replace(interpolationRegexp, (match, key) => {
+    const k = key.trim()
+    if (UNSAFE_KEYS.indexOf(k) > -1) return match
+    const value = data[k]
+    if (value == null) return match
+    const segments = String(value).split('+')
+    for (const seg of segments) {
+      if (!isSafePathSegment(seg)) {
+        unsafe = true
+        return match
+      }
+    }
+    return segments.join('+')
+  })
+  return unsafe ? null : result
+}

test/security.js

@@ -0,0 +1,116 @@
+import expect from 'expect.js'
+import { dirname } from 'path'
+import { fileURLToPath } from 'url'
+const __dirname = dirname(fileURLToPath(import.meta.url))
+import i18next from 'i18next'
+import Backend from '../index.js'
+import { isSafePathSegment, interpolate, interpolatePath } from '../lib/utils.js'
+
+// Security tests for fixes shipped in the 2.6.x patch release.
+// See CHANGELOG for associated GHSA advisory.
+
+describe('security', () => {
+  describe('isSafePathSegment', () => {
+    it('accepts arbitrary language-code shapes', () => {
+      expect(isSafePathSegment('en')).to.be(true)
+      expect(isSafePathSegment('de-DE')).to.be(true)
+      expect(isSafePathSegment('en_US')).to.be(true)
+      expect(isSafePathSegment('zh-Hant-HK')).to.be(true)
+      expect(isSafePathSegment('pirate-speak')).to.be(true)
+      expect(isSafePathSegment('my-custom.ns')).to.be(true)
+    })
+
+    it('rejects path-traversal / separator / control-char payloads', () => {
+      expect(isSafePathSegment('../etc/passwd')).to.be(false)
+      expect(isSafePathSegment('..')).to.be(false)
+      expect(isSafePathSegment('foo/bar')).to.be(false)
+      expect(isSafePathSegment('foo\\bar')).to.be(false)
+      expect(isSafePathSegment('en\r\n')).to.be(false)
+      expect(isSafePathSegment('en\u0000')).to.be(false)
+      expect(isSafePathSegment('__proto__')).to.be(false)
+      expect(isSafePathSegment('')).to.be(false)
+      expect(isSafePathSegment('a'.repeat(200))).to.be(false)
+    })
+  })
+
+  describe('interpolate', () => {
+    it('skips __proto__ key lookups in the data object', () => {
+      const out = interpolate('x {{__proto__}} y', { __proto__: { polluted: true } })
+      expect(out).to.equal('x {{__proto__}} y')
+      expect(({}).polluted).to.be(undefined)
+    })
+    it('substitutes normal keys', () => {
+      expect(interpolate('{{lng}}/{{ns}}.json', { lng: 'en', ns: 'common' }))
+        .to.equal('en/common.json')
+    })
+  })
+
+  describe('interpolatePath', () => {
+    it('accepts plain codes', () => {
+      expect(interpolatePath('/locales/{{lng}}/{{ns}}.json', { lng: 'en', ns: 'common' }))
+        .to.equal('/locales/en/common.json')
+    })
+    it('accepts + joins (multi-language)', () => {
+      expect(interpolatePath('/locales/{{lng}}/{{ns}}.json', { lng: 'en+de', ns: 'a' }))
+        .to.equal('/locales/en+de/a.json')
+    })
+    it('returns null for path traversal', () => {
+      expect(interpolatePath('/locales/{{lng}}/{{ns}}.json', { lng: '../etc/passwd', ns: 'x' }))
+        .to.equal(null)
+      expect(interpolatePath('/locales/{{lng}}/{{ns}}.json', { lng: 'en', ns: '..' }))
+        .to.equal(null)
+    })
+    it('returns null for path separators', () => {
+      expect(interpolatePath('/locales/{{lng}}/{{ns}}.json', { lng: 'en/../', ns: 'x' }))
+        .to.equal(null)
+      expect(interpolatePath('/locales/{{lng}}/{{ns}}.json', { lng: 'en\\x', ns: 'x' }))
+        .to.equal(null)
+    })
+    it('returns null when a segment of a + join is unsafe', () => {
+      expect(interpolatePath('/locales/{{lng}}.json', { lng: 'en+../etc/passwd' }))
+        .to.equal(null)
+    })
+  })
+
+  describe('Backend.read refuses unsafe lng/ns', () => {
+    let backend
+    before(() => {
+      i18next.init({ fallbackLng: 'en', ns: 'test' })
+      const connector = i18next.services.backendConnector
+      backend = new Backend(i18next.services, {
+        loadPath: `${__dirname}/locales/{{lng}}/{{ns}}.json`,
+        addPath: `${__dirname}/locales/{{lng}}/{{ns}}.json`
+      }, connector.allOptions || {})
+    })
+
+    it('does not read outside the locale directory on lng=../../etc/passwd', (done) => {
+      backend.read('../../etc/passwd', 'test', (err, data) => {
+        expect(err).to.be.an(Error)
+        expect(err.message).to.contain('unsafe lng/ns')
+        expect(data).to.be(false)
+        done()
+      })
+    })
+
+    it('does not read when ns contains a slash', (done) => {
+      backend.read('en', '../../etc/passwd', (err, data) => {
+        expect(err).to.be.an(Error)
+        expect(err.message).to.contain('unsafe lng/ns')
+        expect(data).to.be(false)
+        done()
+      })
+    })
+
+    it('still reads legitimate languages (regression guard)', (done) => {
+      backend.read('en', 'test', (err, data) => {
+        // No assertion on data (file may or may not exist in this suite) —
+        // the key point is that the safety guard did NOT reject a legit value.
+        if (err && /unsafe lng\/ns/.test(err.message)) {
+          done(new Error('safety guard rejected a legitimate input'))
+          return
+        }
+        done()
+      })
+    })
+  })
+})