Skip to content

security: fix path-injection, SSRF & rate-limiting in namespace-notes (PIN-26)#78

Open
jhamon wants to merge 1 commit into
mainfrom
security/pin-26-code-vulns
Open

security: fix path-injection, SSRF & rate-limiting in namespace-notes (PIN-26)#78
jhamon wants to merge 1 commit into
mainfrom
security/pin-26-code-vulns

Conversation

@jhamon

@jhamon jhamon commented Jul 11, 2026

Copy link
Copy Markdown

Summary

Resolves the 13 CodeQL code-scanning alerts in namespace-notes (PIN-26, child of PIN-16 / PIN-6 security fast-track).

Rule Count Fix
js/path-injection 10 New pathSafety helper validates each user-supplied path segment and confirms the resolved path stays inside the uploads base dir
js/request-forgery (SSRF) 2 Validate + encodeURIComponent namespaceId/documentId before building outbound fetch URLs
js/missing-rate-limiting 1 express-rate-limit on the filesystem routes

Details

Path injection — added server/src/utils/storage/pathSafety.ts:

  • sanitizeSegment() rejects empty values, path separators (/, \), ./.., and null bytes.
  • safeJoin() validates every segment and then asserts the fully-resolved path is contained within the trusted base directory (the authoritative traversal guard).
  • Applied across serverStorage.ts (saveFile, getFilePath, deleteWorkspaceFiles, deleteFileFromWorkspace, listFilesInNamespace) and documentController.serveDocument.

SSRFclient/src/app/api/files/route.ts: user ids are validated against ^[A-Za-z0-9_-]+$ and URL-encoded before interpolation, so they cannot alter the request path/host.

Rate limitingdocumentRoutes.ts: a 60 req/min/IP limiter guards all routes that touch local storage.

Verification

  • npx tsc (server) — exit 0.
  • npx tsc --noEmit (client) — exit 0.
  • Path-traversal vectors (.., ns/../.., ..\..\x, empty, .) verified rejected; legit dotted filenames (report.final.pdf) pass.

🤖 Generated with Claude Code

…space-notes

Addresses 13 CodeQL code-scanning alerts (PIN-26):

- js/path-injection (10): add pathSafety helper (sanitizeSegment + safeJoin)
  that validates each user-supplied path segment and confirms the resolved
  path stays within the uploads base dir. Applied across serverStorage.ts
  (saveFile, getFilePath, deleteWorkspaceFiles, deleteFileFromWorkspace,
  listFilesInNamespace) and documentController.serveDocument.
- js/request-forgery (2): validate + URL-encode namespaceId/documentId before
  interpolating them into outbound fetch URLs in client files/route.ts.
- js/missing-rate-limiting (1): add express-rate-limit to the filesystem
  routes in documentRoutes.ts.

Server and client both typecheck clean; path-traversal vectors verified blocked.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant