From 23845413c5468669a7f717f270fae6108046eda7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E6=9C=A8=E7=82=8E?= <635735027@qq.com>
Date: Thu, 16 Apr 2026 22:30:35 +0800
Subject: [PATCH] fix: patch path traversal and baseUrl normalization in scene
 generator
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- server.js: sanitize static file paths to prevent directory traversal
  (GET /../../sgclaw_config.json would expose API key)
- config-loader.js: fix normalizeBaseUrl to strip /v1 before appending,
  preventing double /v1 for non-standard base URLs

🤖 Generated with [Qoder][https://qoder.com]
---
 frontend/scene-generator/config-loader.js | 4 ++--
 frontend/scene-generator/server.js        | 8 +++++++-
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/frontend/scene-generator/config-loader.js b/frontend/scene-generator/config-loader.js
index fbafb92..b4199c6 100644
--- a/frontend/scene-generator/config-loader.js
+++ b/frontend/scene-generator/config-loader.js
@@ -64,8 +64,8 @@ function loadConfig() {
 
 function normalizeBaseUrl(url) {
   url = url.replace(/\/+$/, "");
-  if (!url.endsWith("/v1")) url = url + "/v1";
-  return url;
+  url = url.replace(/\/v1\/?$/, "");
+  return url + "/v1";
 }
 
 function getDefaults() {
diff --git a/frontend/scene-generator/server.js b/frontend/scene-generator/server.js
index 3d812a0..4594484 100644
--- a/frontend/scene-generator/server.js
+++ b/frontend/scene-generator/server.js
@@ -190,7 +190,13 @@ const server = http.createServer(async (req, res) => {
     } else if (pathname === "/" || pathname === "/index.html") {
       serveStatic(res, path.join(__dirname, "sg_scene_generator.html"));
     } else {
-      const filePath = path.join(__dirname, pathname);
+      const filePath = path.resolve(__dirname, pathname);
+      const resolvedDir = path.resolve(__dirname);
+      if (!filePath.startsWith(resolvedDir + path.sep) && filePath !== resolvedDir) {
+        res.writeHead(403, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ error: "Forbidden" }));
+        return;
+      }
       if (fs.existsSync(filePath) && fs.statSync(filePath).isFile()) {
         serveStatic(res, filePath);
       } else {