From 9e341e9188c2f27818ef7b757ca7a24623e9ced1 Mon Sep 17 00:00:00 2001
From: quactv <51528368+tranquac@users.noreply.github.com>
Date: Fri, 27 Mar 2026 20:50:12 +0700
Subject: [PATCH] fix: prevent path traversal via crafted session token in
 FileTokenStore

Signed-off-by: tranquac <tranquac@users.noreply.github.com>
---
 server/file_token.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/server/file_token.go b/server/file_token.go
index 07f19dc..850b1f0 100644
--- a/server/file_token.go
+++ b/server/file_token.go
@@ -73,7 +73,13 @@ func (f *FileTokenStore) Revoke(token string) error {
 }
 
 func (f *FileTokenStore) getSessionFile(token string) string {
-	return filepath.Join(f.root, filepath.Clean(sessionPrefix+token))
+	// Sanitize token to prevent path traversal — only allow UUID characters
+	for _, c := range token {
+		if !((c >= 'a' && c <= 'f') || (c >= '0' && c <= '9') || c == '-') {
+			return filepath.Join(f.root, sessionPrefix+"invalid")
+		}
+	}
+	return filepath.Join(f.root, sessionPrefix+token)
 }
 
 func (f *FileTokenStore) readFile(token string, read bool) (*types.Token, error) {