github-mirror/project-nomad
1
0
Fork 0
mirror of https://github.com/Crosstalk-Solutions/project-nomad.git synced 2026-03-28 03:29:25 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix: add path traversal check to global map download

Browse Source
This commit is contained in:
Ben Gauger 2026-03-24 16:51:13 -06:00
parent 8e9131d2ff
commit 04297b7a21
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
admin/app/services/map_service.ts
View File

@ -440,7 +440,13 @@ export class MapService implements IMapService {
throw new Error(`Download already in progress for URL ${info.url}`) throw new Error(`Download already in progress for URL ${info.url}`)
} }
const filepath = join(process.cwd(), this.mapStoragePath, 'pmtiles', info.key) const basePath = resolve(join(this.baseDirPath, 'pmtiles'))
const filepath = resolve(join(basePath, info.key))
// Prevent path traversal — resolved path must stay within the storage directory
if (!filepath.startsWith(basePath + sep)) {
throw new Error('Invalid filename')
}
// First, ensure base assets are present - the global map depends on them // First, ensure base assets are present - the global map depends on them
const baseAssetsExist = await this.ensureBaseAssets() const baseAssetsExist = await this.ensureBaseAssets()