let5see/clawdbot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix path traversal vulnerability in media server

Browse Source 
The /media/:id endpoint was vulnerable to path traversal attacks.
Since this endpoint is exposed via Tailscale Funnel (unlike the
WhatsApp webhook which requires Twilio signature validation),
attackers could directly request paths like /media/%2e%2e%2fwarelay.json
to access sensitive files in ~/.warelay/ (e.g. warelay.json), or even
escape further to the user's home directory via multiple ../ sequences.

Fix: validate resolved paths stay within the media directory.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Joao Lisboa
2025-12-02 10:52:37 -03:00
committed by Peter Steinberger
parent 26921cbe68
commit b94b220156
2 changed files with 16 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/media/server.test.ts
View File

@@ -49,4 +49,14 @@ describe("media server", () => {
await expect(fs.stat(file)).rejects.toThrow();
await new Promise((r) => server.close(r));
});
it("blocks path traversal attempts", async () => {
const server = await startMediaServer(0, 5_000);
const port = (server.address() as AddressInfo).port;
// URL-encoded "../" to bypass client-side path normalization
const res = await fetch(`http://localhost:${port}/media/%2e%2e%2fpackage.json`);
expect(res.status).toBe(400);
expect(await res.text()).toBe("invalid path");
await new Promise((r) => server.close(r));
});
});