fix(server): harden RTE demo path resolution and prevent path traversal#3090
Open
fix(server): harden RTE demo path resolution and prevent path traversal#3090
Conversation
|
Generated by: track-bundle-size
new sizes (raw)To set the sizes as a new baseline, you can copy/paste next content to the {
"version": "6.4.4",
"timestamp": "2026-04-10",
"sizes": {
"templateApp": {
"css": 255089,
"js": 445904
},
"@epam/app": {
"css": 720897,
"js": 4936201
},
"@epam/electric": {
"css": 2275,
"js": 2883
},
"@epam/promo": {
"css": 47756,
"js": 9145
},
"@epam/uui-extra": {
"css": 0,
"js": 213
},
"@epam/loveship": {
"css": 55330,
"js": 43227
},
"@epam/uui-components": {
"css": 25157,
"js": 241794
},
"@epam/uui-core": {
"css": 0,
"js": 336983
},
"@epam/uui-db": {
"css": 0,
"js": 42718
},
"@epam/uui-docs": {
"css": 2152,
"js": 197287
},
"@epam/uui-editor": {
"css": 12954,
"js": 163688
},
"@epam/uui-timeline": {
"css": 2199,
"js": 75104
},
"@epam/uui": {
"css": 215800,
"js": 345661
}
}
}Generated by: generate-components-api Total amount of exported types/props without JSDoc comments
|
MSt1ch
approved these changes
Apr 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Snyk SAST (rule Javascript/Pt, CWE-23): unsanitized input from the HTTP request body was used when resolving the path for
fs.readFileSyncinserver/api/RTEDemoApi.ts(POST /get-demo-doc-content). The handler attempted a path check but did not return after rejecting unsafe paths, so execution could still reachreadFileSyncoutside the intendedrte_contentsdirectory.Root cause
res.send(null)but did not exit, so the code could continue toexistsSync/readFileSyncfor the same resolved path.startsWith(contentDir)is a weaker pattern than resolving the base directory and usingpath.relativefor containment.rte_contentswas inconsistent with the compiled server layout (server/build/api→ repopublic/), compared toget-contents-list.Fix
contentDirwithpath.resolve(__dirname, '../../../public/rte_contents')and requirepath.relative(contentDir, docContentPath)to stay inside the directory (no..prefix, not absolute).res.send(null)when the path is invalid or the file is missing.get-contents-listwith the samepublic/rte_contentsbase path.Files:
server/api/RTEDemoApi.tsHow to verify
cd server && yarn buildPOST /api/get-demo-doc-contentwith a safename(existing JSON underpublic/rte_contents) and confirm a 200 and JSON body.name(e.g. containing..segments); expect null response and no read outsidepublic/rte_contents.Affected areas for QA
server/), RTE demo API:POST .../get-demo-doc-contentandGET .../get-contents-listif your tests hit those routes.@epam/uuinpm packages, app UI bundles, or component library behavior.public/rte_contents(if used in your environment).Jira