github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 00:58:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): restrict skill download target paths

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-16 03:46:32 +01:00
parent c6c53437f7
commit 2363e1b085
9 changed files with 442 additions and 324 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
src/infra/path-safety.ts Normal file
View File

@@ -0,0 +1,20 @@
import path from "node:path";
export function resolveSafeBaseDir(rootDir: string): string {
const resolved = path.resolve(rootDir);
return resolved.endsWith(path.sep) ? resolved : `${resolved}${path.sep}`;
}
export function isWithinDir(rootDir: string, targetPath: string): boolean {
const resolvedRoot = path.resolve(rootDir);
const resolvedTarget = path.resolve(targetPath);
// Windows paths are effectively case-insensitive; normalize to avoid false negatives.
if (process.platform === "win32") {
const relative = path.win32.relative(resolvedRoot.toLowerCase(), resolvedTarget.toLowerCase());
return relative === "" || (!relative.startsWith("..") && !path.win32.isAbsolute(relative));
}
const relative = path.relative(resolvedRoot, resolvedTarget);
return relative === "" || (!relative.startsWith("..") && !path.isAbsolute(relative));
}