[PR #85] [MERGED] Uncontrolled data used in path expression #212

New issue

Closed

opened 2026-03-01 18:44:08 +03:00 by kerem · 0 comments

kerem commented

2026-03-01 18:44:08 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netbootxyz/webapp/pull/85
Author: @antonym
Created: 2/13/2025
Status: ✅ Merged
Merged: 2/13/2025
Merged by: @antonym

Base: master ← Head: file-path-validation

📝 Commits (1)

05e1d7c Validate user input before using it to construct a file path

📊 Changes

1 file changed (+40 additions, -17 deletions)

View changed files

📝 app.js (+40 -17)

📄 Description

Potential fix for https://github.com/netbootxyz/webapp/security/code-scanning/6

To fix the problem, we need to ensure that the filename is validated and sanitized before being used to construct file paths. We can achieve this by normalizing the path and ensuring it is contained within the intended directory. We will use the path module to resolve the path and check that it starts with the root directory.

Normalize the filename using path.resolve to remove any .. segments.
Check that the normalized path starts with the intended root directory.
If the path is invalid, return an error or handle it appropriately.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netbootxyz/webapp/pull/85 **Author:** [@antonym](https://github.com/antonym) **Created:** 2/13/2025 **Status:** ✅ Merged **Merged:** 2/13/2025 **Merged by:** [@antonym](https://github.com/antonym) **Base:** `master` ← **Head:** `file-path-validation` --- ### 📝 Commits (1) - [`05e1d7c`](https://github.com/netbootxyz/webapp/commit/05e1d7c586179546a28b1a44feda48fdbce11449) Validate user input before using it to construct a file path ### 📊 Changes **1 file changed** (+40 additions, -17 deletions) <details> <summary>View changed files</summary> 📝 `app.js` (+40 -17) </details> ### 📄 Description Potential fix for [https://github.com/netbootxyz/webapp/security/code-scanning/6](https://github.com/netbootxyz/webapp/security/code-scanning/6) To fix the problem, we need to ensure that the `filename` is validated and sanitized before being used to construct file paths. We can achieve this by normalizing the path and ensuring it is contained within the intended directory. We will use the `path` module to resolve the path and check that it starts with the root directory. 1. Normalize the `filename` using `path.resolve` to remove any `..` segments. 2. Check that the normalized path starts with the intended root directory. 3. If the path is invalid, return an error or handle it appropriately. _Suggested fixes powered by Copilot Autofix. Review carefully before merging._ --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>