Merge pull request #95 from ClayPulse/hotfix

Shellishack · web-flow · commit 6f10d71c62b4 · 2025-10-31T03:04:57.000+08:00
Separate app route and workspace root
diff --git a/remote-workspace/src/servers/api-server/platform-api/handler.ts b/remote-workspace/src/servers/api-server/platform-api/handler.ts
@@ -4,21 +4,22 @@ import path from "path";
 
 // Define a safe root directory for projects. Can be overridden by env or configured as needed.
 // All incoming URIs will be resolved and validated to ensure they don't escape this root.
-const SAFE_ROOT = path.resolve(
-  process.env.PLATFORM_API_ROOT ?? "/pulse-editor",
-);
 
-const settingsPath = path.join(SAFE_ROOT, "settings.json");
+const appRoot = "/pulse-editor";
 
-function safeResolve(uri: string): string {
+const workspaceRoot = "/workspace";
+
+const settingsPath = path.join(appRoot, "settings.json");
+
+function safeWorkspaceResolve(uri: string): string {
   if (!uri || typeof uri !== "string") {
     throw new Error("Invalid path");
   }
 
-  // Canonicalize the SAFE_ROOT once for this function
-  const rootPath = path.resolve(SAFE_ROOT);
+  // Canonicalize the workspaceRoot once for this function
+  const rootPath = path.resolve(workspaceRoot);
   // Combine and normalize the user input relative to the safe root
-  const candidate = path.resolve(SAFE_ROOT, uri);
+  const candidate = path.resolve(uri);
 
   // Check that candidate is strictly under rootPath (or equal to rootPath)
   const rel = path.relative(rootPath, candidate);
@@ -136,7 +137,7 @@ export async function handlePlatformAPIRequest(
 
 // List all folders in a path
 async function handleListProjects(uri: string) {
-  const rootPath = safeResolve(uri);
+  const rootPath = safeWorkspaceResolve(uri);
   const files = await fs.promises.readdir(rootPath, { withFileTypes: true });
   const folders = files
     .filter((file) => file.isDirectory())
@@ -154,7 +155,7 @@ async function listPathContent(
   options: any,
   baseUri: string | undefined = undefined,
 ) {
-  const rootPath = safeResolve(uri);
+  const rootPath = safeWorkspaceResolve(uri);
   const files = await fs.promises.readdir(rootPath, { withFileTypes: true });
 
   const promise: Promise<any>[] = files
@@ -211,13 +212,13 @@ async function handleListPathContent(uri: string, options: any) {
 
 async function handleCreateProject(uri: string) {
   // Create a folder at the validated path
-  const safe = safeResolve(uri);
+  const safe = safeWorkspaceResolve(uri);
   await fs.promises.mkdir(safe, { recursive: true });
 }
 
 async function handleDeleteProject(uri: string) {
   // Delete the folder at the validated path
-  const safe = safeResolve(uri);
+  const safe = safeWorkspaceResolve(uri);
   await fs.promises.rm(safe, { recursive: true, force: true });
 }
 
@@ -228,34 +229,34 @@ async function handleUpdateProject(
     ctime?: Date;
   },
 ) {
-  const safeOld = safeResolve(uri);
+  const safeOld = safeWorkspaceResolve(uri);
   const newPathCandidate = path.join(path.dirname(safeOld), updatedInfo.name);
-  const safeNew = safeResolve(newPathCandidate);
+  const safeNew = safeWorkspaceResolve(newPathCandidate);
   await fs.promises.rename(safeOld, safeNew);
 }
 
 async function handleCreateFolder(uri: string) {
   // Create a folder at the validated path
-  const safe = safeResolve(uri);
+  const safe = safeWorkspaceResolve(uri);
   await fs.promises.mkdir(safe, { recursive: true });
 }
 
 async function handleCreateFile(uri: string) {
   // Create a file at the validated path
-  const safe = safeResolve(uri);
+  const safe = safeWorkspaceResolve(uri);
   // ensure parent exists
   await fs.promises.mkdir(path.dirname(safe), { recursive: true });
   await fs.promises.writeFile(safe, "");
 }
 
 async function handleRename(oldUri: string, newUri: string) {
-  const safeOld = safeResolve(oldUri);
-  const safeNew = safeResolve(newUri);
+  const safeOld = safeWorkspaceResolve(oldUri);
+  const safeNew = safeWorkspaceResolve(newUri);
   await fs.promises.rename(safeOld, safeNew);
 }
 
 async function handleDelete(uri: string) {
-  const safe = safeResolve(uri);
+  const safe = safeWorkspaceResolve(uri);
   await fs.promises.rm(safe, {
     recursive: true,
     force: true,
@@ -264,7 +265,7 @@ async function handleDelete(uri: string) {
 
 async function handleHasPath(uri: string) {
   try {
-    const safe = safeResolve(uri);
+    const safe = safeWorkspaceResolve(uri);
     return fs.existsSync(safe);
   } catch (err) {
     return false;
@@ -273,14 +274,14 @@ async function handleHasPath(uri: string) {
 
 async function handleReadFile(uri: string) {
   // Read the file at validated path
-  const safe = safeResolve(uri);
+  const safe = safeWorkspaceResolve(uri);
   const data = await fs.promises.readFile(safe, "utf-8");
   return data;
 }
 
 async function handleWriteFile(data: any, uri: string) {
   // Write the data at validated path
-  const safePath = safeResolve(uri);
+  const safePath = safeWorkspaceResolve(uri);
   // create parent directory if it doesn't exist
   const dir = path.dirname(safePath);
   if (!fs.existsSync(dir)) {
@@ -292,8 +293,8 @@ async function handleWriteFile(data: any, uri: string) {
 
 async function handleCopyFiles(from: string, to: string) {
   // Copy the files from the validated from path to the validated to path
-  const safeFrom = safeResolve(from);
-  const safeTo = safeResolve(to);
+  const safeFrom = safeWorkspaceResolve(from);
+  const safeTo = safeWorkspaceResolve(to);
   await fs.promises.cp(safeFrom, safeTo, { recursive: true });
 }
 
