Skip to content

feat: Introduce safeResolve and deployment name validation to preve…#123

Open
codxbrexx wants to merge 1 commit intometacall:masterfrom
codxbrexx:fix/path-traversal-delete-guards
Open

feat: Introduce safeResolve and deployment name validation to preve…#123
codxbrexx wants to merge 1 commit intometacall:masterfrom
codxbrexx:fix/path-traversal-delete-guards

Conversation

@codxbrexx
Copy link
Copy Markdown
Contributor

Summary

Adds a safeResolve utility and a deployment name allowlist to make sure recursive deletes can't escape the app directory. Also includes two CI fixes that were blocking local integration tests.

Related issue

Part of tracking epic #99
Fixes #121

Type of change

  • Bug fix
  • New feature
  • Documentation
  • Chore / CI
  • Breaking change

How to test

  1. Checkout fix/path-traversal-delete-guards
  2. Run npm ci
  3. Run npm test , all 20 tests should pass including the new safeResolve() suite
  4. Try DELETE /api/deploy with suffix: "../etc" , expect a 400
  5. Try a normal valid delete , should still work

Checklist

  • I have read the contributing guidelines
  • I added tests that prove my fix is effective or that my feature works
  • I updated documentation if necessary

Notes for reviewers

Three things changed in this PR:

Issue 8 (path traversal):

  • New src/utils/safePath.tssafeResolve(baseDir, child) resolves the target path and throws 400 if it escapes baseDir
  • delete.ts — validates suffix against ^[a-zA-Z0-9._-]+$ before any path work; uses safeResolve instead of raw join
  • repository.tsrepositoryDelete helper now uses safeResolve so the cleanup can't escape appsDirectory even if repositoryName degrades

Note: The CI integration tests on this PR will only pass after #122 (CI fix — healthcheck, busboy race, protocol patch) is merged first. The path traversal change itself is isolated and has no code dependency on those fixes.

Release notes

Added path boundary validation to the delete endpoint and repository cleanup. A crafted deployment name can no longer cause rm to delete files outside the app directory.

Test

image image

…nt path traversal, and fix a dependency issue in the Dockerfile
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Security: delete endpoint passes unsanitized user input to recursive rm without path boundary check

1 participant