From 5074e8f8f8e166e29fac6dd433b60eb3155da9b2 Mon Sep 17 00:00:00 2001
From: "Torsten Schulz (local)" <tsschulz@gmx.net>
Date: Wed, 27 May 2026 19:53:59 +0200
Subject: [PATCH] fix(security): centralize data path validation in
 getServerDataPath; enforce segment whitelist and resolved-path check

---
 server/utils/paths.js | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/server/utils/paths.js b/server/utils/paths.js
index 3e49003..15827db 100644
--- a/server/utils/paths.js
+++ b/server/utils/paths.js
@@ -28,5 +28,21 @@ export function getProjectPath(...segments) {
 }
 
 export function getServerDataPath(...segments) {
-  return getProjectPath('server', 'data', ...segments)
+  // Validate segments: only allow simple filenames/dirnames (no path separators)
+  const SEGMENT_RE = /^[a-zA-Z0-9._-]+$/
+  for (const s of segments) {
+    if (!SEGMENT_RE.test(String(s || ''))) {
+      throw new Error(`Invalid data path segment: ${String(s)}`)
+    }
+  }
+
+  const dataDir = getProjectPath('server', 'data')
+  const candidate = path.join(dataDir, ...segments)
+  const resolved = path.resolve(candidate)
+  const resolvedDataDir = path.resolve(dataDir)
+  if (!resolved.startsWith(resolvedDataDir + path.sep) && resolved !== resolvedDataDir) {
+    throw new Error('Resolved data path is outside server/data')
+  }
+
+  return resolved
 }