admin/claw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: patch path traversal and baseUrl normalization in scene generator

Browse Source 
- server.js: sanitize static file paths to prevent directory traversal
  (GET /../../sgclaw_config.json would expose API key)
- config-loader.js: fix normalizeBaseUrl to strip /v1 before appending,
  preventing double /v1 for non-standard base URLs

🤖 Generated with [Qoder][https://qoder.com]
This commit is contained in:
木炎
2026-04-16 22:30:35 +08:00
parent ea6be128e7
commit 23845413c5
2 changed files with 9 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
frontend/scene-generator/server.js
View File

@@ -190,7 +190,13 @@ const server = http.createServer(async (req, res) => {
} else if (pathname === "/" || pathname === "/index.html") {
serveStatic(res, path.join(__dirname, "sg_scene_generator.html"));
} else {
const filePath = path.join(__dirname, pathname);
const filePath = path.resolve(__dirname, pathname);
const resolvedDir = path.resolve(__dirname);
if (!filePath.startsWith(resolvedDir + path.sep) && filePath !== resolvedDir) {
res.writeHead(403, { "Content-Type": "application/json" });
res.end(JSON.stringify({ error: "Forbidden" }));
return;
}
if (fs.existsSync(filePath) && fs.statSync(filePath).isFile()) {
serveStatic(res, filePath);
} else {