fix: add path traversal check to global map download

2026-03-28 03:29:25 +01:00 · 2026-03-24 16:51:13 -06:00 · 2026-03-24 16:51:13 -06:00 · 04297b7a21
commit 04297b7a21
parent 8e9131d2ff
1 changed files with 7 additions and 1 deletions
--- a/admin/app/services/map_service.ts
+++ b/admin/app/services/map_service.ts
@ -440,7 +440,13 @@ export class MapService implements IMapService {
      throw new Error(`Download already in progress for URL ${info.url}`)
    }

-    const filepath = join(process.cwd(), this.mapStoragePath, 'pmtiles', info.key)
+    const basePath = resolve(join(this.baseDirPath, 'pmtiles'))
+    const filepath = resolve(join(basePath, info.key))
+
+    // Prevent path traversal — resolved path must stay within the storage directory
+    if (!filepath.startsWith(basePath + sep)) {
+      throw new Error('Invalid filename')
+    }

    // First, ensure base assets are present - the global map depends on them
    const baseAssetsExist = await this.ensureBaseAssets()