torsten/harheimertc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): validate resolved data path to prevent path traversal
Some checks failed
Code Analysis and Production Deploy / deploy-production (push) Has been cancelled
Details
Code Analysis and Production Deploy / deploy-test (push) Has been cancelled
Details
Code Analysis and Production Deploy / analyze (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Torsten Schulz (local)
2026-05-27 19:51:15 +02:00
parent 026e4ba3e4
commit 18a08b0e7a
1 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
server/utils/password-reset-log.js
View File

@@ -14,7 +14,15 @@ function getDataPath(filename) {
const cwd = process.cwd() const cwd = process.cwd()
const dataDir = cwd.endsWith('.output') ? path.join(cwd, '../server/data') : path.join(cwd, 'server/data') const dataDir = cwd.endsWith('.output') ? path.join(cwd, '../server/data') : path.join(cwd, 'server/data')
return path.join(dataDir, safeName)
// build candidate path and verify it's inside the expected data directory
const candidate = path.join(dataDir, safeName)
const resolved = path.resolve(candidate)
const resolvedDataDir = path.resolve(dataDir)
if (!resolved.startsWith(resolvedDataDir + path.sep) && resolved !== resolvedDataDir) {
throw new Error('Invalid data filename (outside data directory)')
}
return resolved
} }
const LOG_FILE = getDataPath('password-reset.log.jsonl') const LOG_FILE = getDataPath('password-reset.log.jsonl')