Security: Path traversal in screenshot/pdf/eval commands allows arbitrary file read/write #13
Description
Summary
The screenshot, pdf, responsive, and eval commands accept arbitrary file paths without validation. This allows writing files to any location the user has access to (via screenshot/pdf) and reading any file on disk (via eval).
Details
Arbitrary file write (screenshot/pdf/responsive)
browse screenshot /etc/cron.d/backdoor.png will attempt to write to that path. No validation that the output path is within a safe directory (e.g. /tmp).
Affected code:
browse/src/meta-commands.ts—screenshot,pdf,responsivehandlers
Arbitrary file read (eval)
browse eval /etc/passwd reads the file contents and attempts to execute them as JS. Even if execution fails, the error message may leak file contents.
Affected code:
browse/src/read-commands.ts—evalhandler
Suggested fix
- Validate that output paths for screenshot/pdf/responsive resolve to
/tmpor the current working directory - Validate that eval paths don't contain
..and resolve within the project directory or a safe allowlist - Reject absolute paths outside allowed directories
Impact
- Severity: High
- Attack surface: Local (requires CLI access), but relevant when Claude Code agents invoke browse commands autonomously