From b94b22015639571b326742b9cf84d5cf544a2fdc Mon Sep 17 00:00:00 2001
From: Joao Lisboa <joaohlisboa@users.noreply.github.com>
Date: Tue, 2 Dec 2025 10:52:37 -0300
Subject: [PATCH] Fix path traversal vulnerability in media server
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The /media/:id endpoint was vulnerable to path traversal attacks.
Since this endpoint is exposed via Tailscale Funnel (unlike the
WhatsApp webhook which requires Twilio signature validation),
attackers could directly request paths like /media/%2e%2e%2fwarelay.json
to access sensitive files in ~/.warelay/ (e.g. warelay.json), or even
escape further to the user's home directory via multiple ../ sequences.

Fix: validate resolved paths stay within the media directory.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 src/media/server.test.ts | 10 ++++++++++
 src/media/server.ts      |  7 ++++++-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/src/media/server.test.ts b/src/media/server.test.ts
index 876051dcd..c30e6ea61 100644
--- a/src/media/server.test.ts
+++ b/src/media/server.test.ts
@@ -49,4 +49,14 @@ describe("media server", () => {
     await expect(fs.stat(file)).rejects.toThrow();
     await new Promise((r) => server.close(r));
   });
+
+  it("blocks path traversal attempts", async () => {
+    const server = await startMediaServer(0, 5_000);
+    const port = (server.address() as AddressInfo).port;
+    // URL-encoded "../" to bypass client-side path normalization
+    const res = await fetch(`http://localhost:${port}/media/%2e%2e%2fpackage.json`);
+    expect(res.status).toBe(400);
+    expect(await res.text()).toBe("invalid path");
+    await new Promise((r) => server.close(r));
+  });
 });
diff --git a/src/media/server.ts b/src/media/server.ts
index 52c5a1ec3..27c2d5ed9 100644
--- a/src/media/server.ts
+++ b/src/media/server.ts
@@ -17,7 +17,12 @@ export function attachMediaRoutes(
 
   app.get("/media/:id", async (req, res) => {
     const id = req.params.id;
-    const file = path.join(mediaDir, id);
+    const file = path.resolve(mediaDir, id);
+    const mediaRoot = path.resolve(mediaDir) + path.sep;
+    if (!file.startsWith(mediaRoot)) {
+      res.status(400).send("invalid path");
+      return;
+    }
     try {
       const stat = await fs.stat(file);
       if (Date.now() - stat.mtimeMs > ttlMs) {