Skip to content

fix: sanitize preview IDs to prevent path traversal and XSS#11

Merged
hydro13 merged 6 commits intomainfrom
fix/preview-path-traversal-xss
Mar 17, 2026
Merged

fix: sanitize preview IDs to prevent path traversal and XSS#11
hydro13 merged 6 commits intomainfrom
fix/preview-path-traversal-xss

Conversation

@hydro13
Copy link
Owner

@hydro13 hydro13 commented Mar 17, 2026

Summary

  • Preview routes accepted unsanitized :id params, allowing path traversal (../../) to read/write/delete .json files outside the previews directory
  • The 404 page reflected the raw ID into HTML without escaping, enabling reflected XSS
  • Added assertSinglePathSegment() to all four :id route handlers (PUT, GET, GET /meta, DELETE)
  • Added escapeHtml() to the 404 response as defense-in-depth
  • Both guards already existed in src/utils/security.ts, just weren't wired up for preview routes

Test plan

  • Preview create, read, update, delete all work normally
  • Path traversal attempts (../../api-token) return "Invalid preview ID"
  • XSS payloads in preview ID return "Invalid preview ID"
  • TypeScript compiles without errors
  • App starts and runs normally

hydro13 added 3 commits March 17, 2026 09:49
@hydro13
fix: sanitize preview IDs to prevent path traversal and reflected XSS…
b38388b 
… (security)

Preview routes accepted unsanitized :id params from the URL, allowing
path traversal (../../) to read/write/delete .json files outside the
previews directory, and reflected XSS via the 404 page.

Added assertSinglePathSegment() validation to all four :id route handlers
and escapeHtml() to the 404 response. Both guards already existed in
src/utils/security.ts.

Bump to v0.62.10.
@hydro13
chore: bump to v0.62.11
ac8695a
@hydro13
chore: clean up changelog duplicate entry
c348338
@hydro13 hydro13 self-assigned this Mar 17, 2026
hydro13 added 3 commits March 17, 2026 10:48
@hydro13
fix: use resolvePathWithinRoot in previewPath to satisfy CodeQL
49754bf 
assertSinglePathSegment already blocks traversal, but CodeQL cannot
trace that validation. Adding resolvePathWithinRoot as a second guard
in previewPath() itself makes the path restriction visible to static
analysis.
@hydro13
chore: bump to v0.62.12
c4e5eb6
@hydro13
chore: consolidate changelog entries for security fix
3ef6646
@hydro13 hydro13 merged commit a33aea0 into main Mar 17, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@hydro13 hydro13

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hydro13