Skip to content

Fix: Path Traversal in preview-server.ts (Arbitrary File Read)#382

Open
AmirGhMohseni wants to merge 3 commits intoAIxBlock-2023:mainfrom
AmirGhMohseni:main
Open

Fix: Path Traversal in preview-server.ts (Arbitrary File Read)#382
AmirGhMohseni wants to merge 3 commits intoAIxBlock-2023:mainfrom
AmirGhMohseni:main

Conversation

@AmirGhMohseni
Copy link
Copy Markdown

@AmirGhMohseni AmirGhMohseni commented Nov 29, 2025
edited
Loading

This PR fixes the critical Path Traversal vulnerability reported in issue https://github.com/AIxBlock-2023/awesome-ai-dev-platform-opensource/issues/381#issue-3676632156.

Changes

  • Validates and canonicalizes file paths using path.resolve()
  • Restricts file access to a safe base directory (SAFE_PREVIEW_DIR)
  • Rejects any path containing .. or absolute paths
  • Allows only safe file extensions (e.g., .png, .pdf)
  • Returns appropriate HTTP errors for invalid requests

Testing

  • Added unit tests covering:
    • Valid file access
    • Path traversal attempts (../../../etc/passwd)
    • Invalid extensions
    • Missing parameters

This patch ensures attackers cannot read arbitrary files like .env or internal configs via the preview endpoint.

@AmirGhMohseni
Enhance security for preview file serving
03736b2 
Added validation and security features for serving preview files.

Signed-off-by: Amir <98203210+AmirGhMohseni@users.noreply.github.com>
@AmirGhMohseni
Add tests for servePreviewFile functionality
dc10045 
Signed-off-by: Amir <98203210+AmirGhMohseni@users.noreply.github.com>
@AmirGhMohseni
Fixed Issue 383
c07ce1c 
Issue 383

Signed-off-by: Amir <98203210+AmirGhMohseni@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@AmirGhMohseni