Security: Path safety check is vulnerable to symlink-based directory escape#465
Open
tuanaiseo wants to merge 1 commit intoheygen-com:mainfrom
Conversation
`isSafePath` only verifies string prefix containment after `resolve()`. This does not account for symlinks inside the project directory that point outside the base path. Downstream file reads/writes that rely on this helper can be tricked into accessing files outside the intended project root via symlink traversal. Affected files: safePath.ts Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
Collaborator
miguel-heygen
left a comment
miguel-heygen
left a comment
There was a problem hiding this comment.
Left one note on coverage.
| import { readdirSync, realpathSync } from "node:fs"; | ||
|
|
||
| /** Reject paths that escape the project directory. */ | ||
| export function isSafePath(base: string, resolved: string): boolean { |
Collaborator
There was a problem hiding this comment.
This closes a real escape, but I would still want one focused regression test here. isSafePath() is the guard for both the Studio file routes and preview asset serving, so the PR should prove a symlink inside the project cannot read or write outside the project root, while a normal in-project create still works. Otherwise this is easy to reopen later.
miguel-heygen
requested changes
Apr 23, 2026
Collaborator
miguel-heygen
left a comment
miguel-heygen
left a comment
There was a problem hiding this comment.
This fixes a real issue, but I want one targeted regression test before approval. isSafePath() guards the Studio file routes and preview asset serving, and this is easy to reopen later without coverage.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
isSafePathonly verifies string prefix containment afterresolve(). This does not account for symlinks inside the project directory that point outside the base path. Downstream file reads/writes that rely on this helper can be tricked into accessing files outside the intended project root via symlink traversal.Severity:
mediumFile:
packages/core/src/studio-api/helpers/safePath.tsSolution
Use
realpath(orrealpathSync) on both base and target before comparison, and reject targets whose real path is outside the base real path. For write paths, also open files with flags that reduce symlink-follow risks where possible.Changes
packages/core/src/studio-api/helpers/safePath.ts(modified)Testing