fix(server): only allow absolute import paths (#13642)

fix: only allow absolute paths
2024-10-21 16:12:12 +02:00
parent 56bebd01df
commit b411e30796
4 changed files with 54 additions and 7 deletions
@@ -1,6 +1,6 @@
 import { BadRequestException, Injectable } from '@nestjs/common';
 import { R_OK } from 'node:constants';
-import path, { basename, parse } from 'node:path';
+import path, { basename, isAbsolute, parse } from 'node:path';
 import picomatch from 'picomatch';
 import { StorageCore } from 'src/cores/storage.core';
 import { OnEvent } from 'src/decorators';
@@ -268,6 +268,11 @@ export class LibraryService extends BaseService {
      return validation;
    }

+    if (!isAbsolute(importPath)) {
+      validation.message = `Import path must be absolute, try ${path.resolve(importPath)}`;
+      return validation;
+    }
+
    try {
      const stat = await this.storageRepository.stat(importPath);
      if (!stat.isDirectory()) {