mirror of
https://github.com/netbootxyz/webapp.git
synced 2026-04-25 07:05:59 +03:00
[PR #85] [MERGED] Uncontrolled data used in path expression #212
Labels
No labels
Hacktoberfest
bug
enhancement
no-issue-activity
pull-request
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/webapp#212
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/netbootxyz/webapp/pull/85
Author: @antonym
Created: 2/13/2025
Status: ✅ Merged
Merged: 2/13/2025
Merged by: @antonym
Base:
master← Head:file-path-validation📝 Commits (1)
05e1d7cValidate user input before using it to construct a file path📊 Changes
1 file changed (+40 additions, -17 deletions)
View changed files
📝
app.js(+40 -17)📄 Description
Potential fix for https://github.com/netbootxyz/webapp/security/code-scanning/6
To fix the problem, we need to ensure that the
filenameis validated and sanitized before being used to construct file paths. We can achieve this by normalizing the path and ensuring it is contained within the intended directory. We will use thepathmodule to resolve the path and check that it starts with the root directory.filenameusingpath.resolveto remove any..segments.Suggested fixes powered by Copilot Autofix. Review carefully before merging.
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.