CalvinBackup/gstack
1
0
Fork 0
mirror of https://github.com/garrytan/gstack.git synced 2026-05-29 14:31:28 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): cookie-import path validation bypass + hardcoded /tmp

Browse Source 
Two fixes:
1. cookie-import relative path bypass (#707): path.isAbsolute() gated the
   entire validation, so relative paths like "sensitive-file.json" bypassed
   the safe-directory check entirely. Now always resolves to absolute path
   with realpathSync for symlink resolution, matching validateOutputPath().

2. Hardcoded /tmp in cookie-import-browser (#708): openDbFromCopy used
   /tmp directly instead of os.tmpdir(), breaking Windows support.

Also adds explicit imports for SAFE_DIRECTORIES and isPathWithin in
write-commands.ts (previously resolved implicitly through bundler).

Closes #852

Co-Authored-By: Toby Morning <urbantech@users.noreply.github.com>
This commit is contained in:
Garry Tan
2026-04-13 09:33:48 -07:00
parent ffb56b556d
commit bc80c4fae5
3 changed files with 16 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
browse/test/commands.test.ts
+2 -1
View File
@@ -1811,7 +1811,8 @@ describe('Path traversal prevention', () => {
await handleWriteCommand('cookie-import', ['../../etc/shadow'], bm);
expect(true).toBe(false);
} catch (err: any) {
expect(err.message).toContain('Path traversal');
// Traversal blocked by safe-directory check (#707) or explicit .. check
expect(err.message).toMatch(/Path must be within|Path traversal/);
}
});