fix: ensure path resolve is safe

antfu · antfu · commit 1fabb493c0ad · 2025-09-20T13:47:22.000-04:00
diff --git a/packages/devtools/src/server-rpc/assets.ts b/packages/devtools/src/server-rpc/assets.ts
@@ -47,6 +47,8 @@ export function setupAssetsRPC({ nuxt, ensureDevAuthToken, refresh, options }: N
     for (const { layerDir, files } of dirs) {
       for (const path of files) {
         const filePath = resolve(layerDir, path)
+        if (!filePath.startsWith(layerDir))
+          continue
         const stat = await fsp.lstat(filePath)
         const fullPath = join(baseURL, path)
 
@@ -109,6 +111,8 @@ export function setupAssetsRPC({ nuxt, ensureDevAuthToken, refresh, options }: N
       return await Promise.all(
         files.map(async ({ path, content, encoding, override }) => {
           let finalPath = resolve(baseDir, path)
+          if (!finalPath.startsWith(baseDir))
+            throw new Error(`File ${path} is not allowed to upload, it's outside of the public directory`)
 
           const { ext } = parse(finalPath)
           if (extensions !== '*') {
