raresj/mypage
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

🏗️ Phase 1 for production readyness

Browse Source
This commit is contained in:
RJ
2025-11-24 15:59:18 +02:00
committed by Rares J
parent 1baef49f73
commit 7dca1de1aa
10 changed files with 77 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
lib/markdown.ts
View File

@@ -15,6 +15,15 @@ export function sanitizePath(inputPath: string): string {
if (normalized.includes('..') || path.isAbsolute(normalized)) {
throw new Error('Invalid path')
}
// CRITICAL: Verify resolved path stays within content directory
const resolvedPath = path.resolve(POSTS_PATH, normalized)
const allowedBasePath = path.resolve(POSTS_PATH)
if (!resolvedPath.startsWith(allowedBasePath)) {
throw new Error('Path traversal attempt detected')
}
return normalized
}

5
lib/remark-copy-images.ts
View File

@@ -39,8 +39,9 @@ async function copyAndRewritePath(node: ImageNode, options: Options): Promise<vo
const sourcePath = path.resolve(contentPostDir, urlWithoutParams)
if (sourcePath.includes('..') && !sourcePath.startsWith(path.join(process.cwd(), contentDir))) {
throw new Error(`Invalid image path: ${node.url} (path traversal detected)`)
const allowedBasePath = path.join(process.cwd(), contentDir)
if (!sourcePath.startsWith(allowedBasePath)) {
throw new Error(`Invalid image path outside content directory: ${node.url}`)
}
const relativeToContent = path.relative(path.join(process.cwd(), contentDir), sourcePath)