Fix run asset path traversal by zemaj · Pull Request #2 · just-every/12ui-codex

zemaj · 2026-05-12T06:54:00Z

Prevent unauthenticated arbitrary file reads via path traversal in run asset endpoints by validating run IDs and sanitizing asset paths.
Ensure run filesystem paths are built only from trusted run identifiers and that served assets cannot escape the intended .runs/<id>/assets directory.

Add parseRunId in src/server/validation.ts to strictly validate run IDs as UUIDs and use it for all run-related routes and operations where run IDs arrive from URLs (API handlers now call parseRunId).
Route runDir through parseRunId in src/server/runStore.ts so invalid/decoded traversal run IDs are rejected before touching the filesystem.
Add resolveRunAssetPath in src/server/assets.ts and update readRunAsset to reject empty, absolute, ./.. segments, and any path that does not resolve under the run assets directory, then read only the resolved path.
Update API handlers in src/server/api.ts to validate run IDs before reading runs, streaming events, serving assets, creating handovers, and serving handover assets.
Add regression tests in src/server/assets.test.ts and extend src/server/validation.test.ts to cover valid reads, traversal/absolute-path rejection, and run ID validation.

Ran type checking with pnpm run typecheck, which succeeded without errors.
Ran unit tests with pnpm run test, with all tests passing (new tests included); test suite reported all tests passed.
Built the project with pnpm run build, which completed successfully.

Fix run asset path traversal

86b05c7

zemaj added aardvark codex labels May 12, 2026 — with ChatGPT Codex Connector

Provide feedback