Merge pull request #35311 from orbisai0security/fix-fix-path-traversal-playlist-edit

fix: cli commands accept file path arguments directl... in edit.ts
2026-05-08 10:37:44 -04:00 · 2026-04-11 17:43:36 -04:00
parent ef2b521f92 3f20573f74
commit a3ca0e942a
1 changed files with 11 additions and 1 deletions
--- a/scripts/commands/playlist/edit.ts
+++ b/scripts/commands/playlist/edit.ts
@@ -4,11 +4,13 @@ import { select, input } from '@inquirer/prompts'
 import { Playlist, Stream } from '../../models'
 import { Storage } from '@freearhey/storage-js'
 import { PlaylistParser } from '../../core'
+import { ROOT_DIR } from '../../constants'
+import { truncate } from '../../utils'
 import nodeCleanup from 'node-cleanup'
 import * as sdk from '@iptv-org/sdk'
-import { truncate } from '../../utils'
 import { Command } from 'commander'
 import readline from 'readline'
+import path from 'node:path'

 type ChoiceValue = { type: string; value?: sdk.Models.Feed | sdk.Models.Channel }
 type Choice = { name: string; short?: string; value: ChoiceValue; default?: boolean }
@@ -30,6 +32,14 @@ program.argument('<filepath>', 'Path to *.channels.xml file to edit').parse(proc

 const filepath = program.args[0]
 const logger = new Logger()
+
+const resolvedPath = path.resolve(filepath)
+const relative = path.relative(ROOT_DIR, resolvedPath)
+if (relative.startsWith('..') || path.isAbsolute(relative)) {
+  console.error(`Error: filepath "${filepath}" is outside the working directory`)
+  process.exit(1)
+}
+
 const storage = new Storage()
 let parsedStreams = new Collection<Stream>()