🏗️ Phase 1 for production readyness

2025-11-24 15:59:18 +02:00
parent 5f585e2a9f
commit f383b86b4d
10 changed files with 77 additions and 8 deletions
--- a/lib/markdown.ts
+++ b/lib/markdown.ts
@@ -15,6 +15,15 @@ export function sanitizePath(inputPath: string): string {
  if (normalized.includes('..') || path.isAbsolute(normalized)) {
    throw new Error('Invalid path')
  }
+
+  // CRITICAL: Verify resolved path stays within content directory
+  const resolvedPath = path.resolve(POSTS_PATH, normalized)
+  const allowedBasePath = path.resolve(POSTS_PATH)
+
+  if (!resolvedPath.startsWith(allowedBasePath)) {
+    throw new Error('Path traversal attempt detected')
+  }
+
  return normalized
 }