From e6f30e0d81afa3c7b1a00abd9d7be50ca372c163 Mon Sep 17 00:00:00 2001 From: Robin Waslander Date: Tue, 17 Mar 2026 11:14:00 +0100 Subject: [PATCH 1/3] fix: restrict sync root paths to user home directory (security) normalizeExistingDirectoryPath accepted any valid directory path on the filesystem as a sync root. Added assertPathWithinRoot(os.homedir()) to ensure sync roots stay within the user's home directory. --- src/utils/security.ts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/utils/security.ts b/src/utils/security.ts index 38ba95e..0d959a3 100644 --- a/src/utils/security.ts +++ b/src/utils/security.ts @@ -1,4 +1,5 @@ import fs from 'fs'; +import os from 'os'; import path from 'path'; const HTML_ESCAPE_RE = /[&<>"']/g; @@ -159,6 +160,7 @@ export function normalizeExistingDirectoryPath(value: string, label: string): st } const resolved = path.resolve(trimmed); + assertPathWithinRoot(os.homedir(), resolved); const stat = fs.statSync(resolved); if (!stat.isDirectory()) { throw new Error(`${label} must be a directory`); From a7c54411b8e503ff1880085dc7fc2fefd3a53ae6 Mon Sep 17 00:00:00 2001 From: Robin Waslander Date: Tue, 17 Mar 2026 11:14:00 +0100 Subject: [PATCH 2/3] chore: bump to v0.62.13 --- CHANGELOG.md | 8 ++++++++ package-lock.json | 4 ++-- package.json | 2 +- shell/about.html | 2 +- 4 files changed, 12 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5af3875..caf195f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,14 @@ All notable changes to Tandem Browser will be documented in this file. +## [v0.62.13] - 2026-03-17 + +- fix: restrict sync root paths to user home directory (security) + +normalizeExistingDirectoryPath accepted any valid directory path on the +filesystem as a sync root. Added assertPathWithinRoot(os.homedir()) +to ensure sync roots stay within the user's home directory. + ## [v0.62.12] - 2026-03-17 - fix: sanitize preview IDs to prevent path traversal and reflected XSS (security) diff --git a/package-lock.json b/package-lock.json index 0c2ccbe..c37144e 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "tandem-browser", - "version": "0.62.12", + "version": "0.62.13", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "tandem-browser", - "version": "0.62.12", + "version": "0.62.13", "hasInstallScript": true, "license": "MIT", "dependencies": { diff --git a/package.json b/package.json index 7041161..da84966 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "tandem-browser", - "version": "0.62.12", + "version": "0.62.13", "description": "First-party OpenClaw companion browser for human-AI collaboration with built-in security controls", "main": "dist/main.js", "author": "Tandem Browser contributors", diff --git a/shell/about.html b/shell/about.html index f9e3824..698b40c 100644 --- a/shell/about.html +++ b/shell/about.html @@ -114,7 +114,7 @@
Tandem
First-Party OpenClaw Companion Browser
Developer Preview
-
v0.62.12
+
v0.62.13
Built specifically for human-AI collaboration with OpenClaw.
Maintained in the same ecosystem as OpenClaw, with security and local control built in. From 2c27f1c4e1739696dea086195b5cd1ae5a5bf350 Mon Sep 17 00:00:00 2001 From: Robin Waslander Date: Tue, 17 Mar 2026 11:14:14 +0100 Subject: [PATCH 3/3] chore: clean up changelog entry --- CHANGELOG.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index caf195f..cf74e92 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,10 +6,6 @@ All notable changes to Tandem Browser will be documented in this file. - fix: restrict sync root paths to user home directory (security) -normalizeExistingDirectoryPath accepted any valid directory path on the -filesystem as a sync root. Added assertPathWithinRoot(os.homedir()) -to ensure sync roots stay within the user's home directory. - ## [v0.62.12] - 2026-03-17 - fix: sanitize preview IDs to prevent path traversal and reflected XSS (security)