From 18a08b0e7ae18429c490b5e331a898c44c709453 Mon Sep 17 00:00:00 2001
From: "Torsten Schulz (local)" <tsschulz@gmx.net>
Date: Wed, 27 May 2026 19:51:15 +0200
Subject: [PATCH] fix(security): validate resolved data path to prevent path
 traversal

---
 server/utils/password-reset-log.js | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/server/utils/password-reset-log.js b/server/utils/password-reset-log.js
index c5bb0b6..b8fde36 100644
--- a/server/utils/password-reset-log.js
+++ b/server/utils/password-reset-log.js
@@ -14,7 +14,15 @@ function getDataPath(filename) {
 
   const cwd = process.cwd()
   const dataDir = cwd.endsWith('.output') ? path.join(cwd, '../server/data') : path.join(cwd, 'server/data')
-  return path.join(dataDir, safeName)
+
+  // build candidate path and verify it's inside the expected data directory
+  const candidate = path.join(dataDir, safeName)
+  const resolved = path.resolve(candidate)
+  const resolvedDataDir = path.resolve(dataDir)
+  if (!resolved.startsWith(resolvedDataDir + path.sep) && resolved !== resolvedDataDir) {
+    throw new Error('Invalid data filename (outside data directory)')
+  }
+  return resolved
 }
 
 const LOG_FILE = getDataPath('password-reset.log.jsonl')