valknar/llmx
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Normalize paths in resolvePathAgainstWorkdir to prevent path traversal vulnerability (#895)

Browse Source 
This PR fixes a potential path traversal vulnerability by ensuring all
paths are properly normalized in the `resolvePathAgainstWorkdir`
function.

## Changes
- Added path normalization for both absolute and relative paths
- Ensures normalized paths are used in all subsequent operations
- Prevents potential path traversal attacks through non-normalized paths

This minimal change addresses the security concern without adding
unnecessary complexity, while maintaining compatibility with existing
code.
This commit is contained in:
Avi Rosenberg
2025-05-12 23:44:00 +03:00
committed by GitHub
parent 73fe1381aa
commit ab4cb94227
1 changed files with 6 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
codex-cli/src/approvals.ts
View File

@@ -281,12 +281,14 @@ export function resolvePathAgainstWorkdir(
candidatePath: string, candidatePath: string,
workdir: string | undefined, workdir: string | undefined,
): string { ): string {
if (path.isAbsolute(candidatePath)) { // Normalize candidatePath to prevent path traversal attacks
return candidatePath; const normalizedCandidatePath = path.normalize(candidatePath);
if (path.isAbsolute(normalizedCandidatePath)) {
return normalizedCandidatePath;
} else if (workdir != null) { } else if (workdir != null) {
return path.resolve(workdir, candidatePath); return path.resolve(workdir, normalizedCandidatePath);
} else { } else {
return path.resolve(candidatePath); return path.resolve(normalizedCandidatePath);
} }
} }