fix(server): only allow absolute import paths (#13642)

fix: only allow absolute paths
2025-11-14 17:36:12 +00:00 · 2024-10-21 16:12:12 +02:00 · 2024-10-21 16:12:12 +02:00 · b411e30796
commit b411e30796
parent 56bebd01df
4 changed files with 54 additions and 7 deletions
--- a/server/src/services/library.service.ts
+++ b/server/src/services/library.service.ts
@ -1,6 +1,6 @@
 import { BadRequestException, Injectable } from '@nestjs/common';
 import { R_OK } from 'node:constants';
-import path, { basename, parse } from 'node:path';
+import path, { basename, isAbsolute, parse } from 'node:path';
 import picomatch from 'picomatch';
 import { StorageCore } from 'src/cores/storage.core';
 import { OnEvent } from 'src/decorators';
@ -268,6 +268,11 @@ export class LibraryService extends BaseService {
      return validation;
    }

+    if (!isAbsolute(importPath)) {
+      validation.message = `Import path must be absolute, try ${path.resolve(importPath)}`;
+      return validation;
+    }
+
    try {
      const stat = await this.storageRepository.stat(importPath);
      if (!stat.isDirectory()) {