From 04297b7a21bb371442312827d7d632b24aa0e0d4 Mon Sep 17 00:00:00 2001
From: Ben Gauger <benjamin.gauger@gmail.com>
Date: Tue, 24 Mar 2026 16:51:13 -0600
Subject: [PATCH] fix: add path traversal check to global map download

---
 admin/app/services/map_service.ts | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/admin/app/services/map_service.ts b/admin/app/services/map_service.ts
index 4c34762..00f4976 100644
--- a/admin/app/services/map_service.ts
+++ b/admin/app/services/map_service.ts
@@ -440,7 +440,13 @@ export class MapService implements IMapService {
       throw new Error(`Download already in progress for URL ${info.url}`)
     }
 
-    const filepath = join(process.cwd(), this.mapStoragePath, 'pmtiles', info.key)
+    const basePath = resolve(join(this.baseDirPath, 'pmtiles'))
+    const filepath = resolve(join(basePath, info.key))
+
+    // Prevent path traversal — resolved path must stay within the storage directory
+    if (!filepath.startsWith(basePath + sep)) {
+      throw new Error('Invalid filename')
+    }
 
     // First, ensure base assets are present - the global map depends on them
     const baseAssetsExist = await this.ensureBaseAssets()