Skip to content

fix: allow framework route patterns in path validation#44

Merged
biostochastics merged 1 commit into
mainfrom
development
Feb 2, 2026
Merged

fix: allow framework route patterns in path validation#44
biostochastics merged 1 commit into
mainfrom
development

Conversation

@biostochastics
Copy link
Copy Markdown
Owner

@biostochastics biostochastics commented Feb 2, 2026

The path traversal regex was too broad - r".." blocked any occurrence of ".." including valid Next.js catch-all routes like [[...slug]].

Changed to r"(?:^|[\/])..(?:[\/]|$)" which only matches ".." when it appears as a standalone path component (actual traversal patterns).

Now correctly:

  • Blocks: ../foo, foo/../bar, foo/.., ..\bar
  • Allows: [[...slug]], [...slug], foo...bar, file..txt

@biostochastics
fix: allow framework route patterns in path validation
a717d24 
The path traversal regex was too broad - r"\.\." blocked any occurrence
of ".." including valid Next.js catch-all routes like [[...slug]].

Changed to r"(?:^|[\\/])\.\.(?:[\\/]|$)" which only matches ".." when
it appears as a standalone path component (actual traversal patterns).

Now correctly:
- Blocks: ../foo, foo/../bar, foo/.., ..\bar
- Allows: [[...slug]], [...slug], foo...bar, file..txt
@codeant-ai
Copy link
Copy Markdown
Contributor

codeant-ai Bot commented Feb 2, 2026

CodeAnt AI is reviewing your PR.

@biostochastics biostochastics merged commit bed66fb into main Feb 2, 2026
12 checks passed
@codeant-ai
Copy link
Copy Markdown
Contributor

codeant-ai Bot commented Feb 2, 2026

Nitpicks 🔍

🔒 No security issues identified
⚡ Recommended areas for review

  • Pre-resolution checks
    Dangerous-pattern checks are run against the raw requested_path string before normalizing/joining/resolving. That ordering can miss attacks that appear only after joining with base_path or after decoding (percent-encoding), and it may yield false negatives/positives for platform-specific paths.

  • Encoded/obfuscated traversal
    The new regex won't match percent-encoded or other encoded forms like %2e%2e, Unicode homoglyphs, or mixed-encoding tricks. These forms won't be normalized by the regex and could bypass the string-based checks.

  • Regex brittleness
    Relying on a single regular expression to detect parent-directory traversal is fragile (edge cases, different separators, encoded or concatenated tokens). A safer approach is to inspect path components (e.g., Path.parts / PurePath.parts) or validate after normalization/resolution instead of only regex matching.

@codeant-ai
Copy link
Copy Markdown
Contributor

codeant-ai Bot commented Feb 2, 2026

CodeAnt AI finished reviewing your PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@biostochastics