Fix #531

Author: brendan-kellam

packages/web/src/features/fileTree/api.ts

@@ -9,14 +9,15 @@ import { createLogger } from '@sourcebot/shared';
 import path from 'path';
 import { simpleGit } from 'simple-git';
 import { FileTreeItem } from './types';
-import { buildFileTree, isPathValid, normalizePath } from './utils';
+import { buildFileTree, normalizePath } from './utils';
 import { compareFileTreeItems } from './utils';
 
 const logger = createLogger('file-tree');
 
 /**
- * Returns the tree of files (blobs) and directories (trees) for a given repository,
- * at a given revision.
+ * Returns a file tree spanning the union of all provided paths for the given
+ * repo/revision, including intermediate directories needed to connect them
+ * into a single tree.
  */
 export const getTree = async (params: { repoName: string, revisionName: string, paths: string[] }) => sew(() =>
     withOptionalAuthV2(async ({ org, prisma }) => {
@@ -35,10 +36,6 @@ export const getTree = async (params: { repoName: string, revisionName: string,
         const { path: repoPath } = getRepoPath(repo);
 
         const git = simpleGit().cwd(repoPath);
-        if (!paths.every(path => isPathValid(path))) {
-            return notFound();
-        }
-
         const normalizedPaths = paths.map(path => normalizePath(path));
 
         let result: string = '';
@@ -103,9 +100,6 @@ export const getFolderContents = async (params: { repoName: string, revisionName
         const { path: repoPath } = getRepoPath(repo);
         const git = simpleGit().cwd(repoPath);
 
-        if (!isPathValid(path)) {
-            return notFound();
-        }
         const normalizedPath = normalizePath(path);
 
         let result: string;

packages/web/src/features/fileTree/utils.test.ts

@@ -1,5 +1,5 @@
 import { expect, test } from 'vitest';
-import { buildFileTree, isPathValid, normalizePath } from './utils';
+import { buildFileTree, normalizePath } from './utils';
 
 test('normalizePath adds a trailing slash and strips leading slashes', () => {
     expect(normalizePath('/a/b')).toBe('a/b/');
@@ -13,15 +13,6 @@ test('normalizePath returns empty string for root', () => {
     expect(normalizePath('/')).toBe('');
 });
 
-test('isPathValid rejects traversal and null bytes', () => {
-    expect(isPathValid('a/../b')).toBe(false);
-    expect(isPathValid('a/\0b')).toBe(false);
-});
-
-test('isPathValid allows normal paths', () => {
-    expect(isPathValid('a/b')).toBe(true);
-});
-
 test('buildFileTree handles a empty flat list', () => {
     const flatList: { type: string, path: string }[] = [];
     const tree = buildFileTree(flatList);

packages/web/src/features/fileTree/utils.ts

@@ -21,12 +21,6 @@ export const normalizePath = (path: string): string => {
     return normalizedPath;
 }
 
-// @note: we don't allow directory traversal
-// or null bytes in the path.
-export const isPathValid = (path: string) => {
-    return !path.includes('..') && !path.includes('\0');
-}
-
 export const buildFileTree = (flatList: { type: string, path: string }[]): FileTreeNode => {
     const root: FileTreeNode = {
         name: 'root',