Merge pull request #94 from ClayPulse/hotfix

Shellishack · web-flow · commit 5cfeea3e4d1f · 2025-10-31T02:53:15.000+08:00
Apply codeql suggestion
diff --git a/remote-workspace/src/servers/api-server/platform-api/handler.ts b/remote-workspace/src/servers/api-server/platform-api/handler.ts
@@ -21,7 +21,9 @@ function safeResolve(uri: string): string {
   const candidate = path.resolve(SAFE_ROOT, uri);
 
   // Check that candidate is strictly under rootPath (or equal to rootPath)
-  if (candidate === rootPath || candidate.startsWith(rootPath + path.sep)) {
+  const rel = path.relative(rootPath, candidate);
+  // Allow if candidate is rootPath itself, or a subpath (not escaping via '..', not absolute)
+  if (rel === "" || (!rel.startsWith("..") && !path.isAbsolute(rel))) {
     return candidate;
   }
 

Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,9 @@ function safeResolve(uri: string): string {`
`21`	`21`	`const candidate = path.resolve(SAFE_ROOT, uri);`
`22`	`22`
`23`	`23`	`// Check that candidate is strictly under rootPath (or equal to rootPath)`
`24`		`- if (candidate === rootPath \|\| candidate.startsWith(rootPath + path.sep)) {`
	`24`	`+ const rel = path.relative(rootPath, candidate);`
	`25`	`+ // Allow if candidate is rootPath itself, or a subpath (not escaping via '..', not absolute)`
	`26`	`+ if (rel === "" \|\| (!rel.startsWith("..") && !path.isAbsolute(rel))) {`
`25`	`27`	`return candidate;`
`26`	`28`	`}`
`27`	`29`