Skip to content

🧹 fix: Sanitize Artifact Filenames in Code Execution Output#12222

Merged
danny-avila merged 5 commits into
devfrom
fix/sec-code-traversal
Mar 14, 2026
Merged

🧹 fix: Sanitize Artifact Filenames in Code Execution Output#12222
danny-avila merged 5 commits into
devfrom
fix/sec-code-traversal

Conversation

@danny-avila

Copy link
Copy Markdown
Owner

No description provided.

Copilot AI review requested due to automatic review settings March 14, 2026 01:58

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens file handling against path traversal by adding filename sanitization/containment checks and introducing regression tests around unsafe filenames.

Changes:

  • Add a local filesystem path containment check before writing buffers to disk.
  • Sanitize code-artifact filenames before saving code execution outputs.
  • Add Jest tests covering traversal scenarios for both local buffer saving and code output processing.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File Description
api/server/services/Files/Local/crud.js Adds a directory containment check before writing a buffer to the local filesystem.
api/server/services/Files/Local/tests/crud-traversal.spec.js Adds tests validating traversal rejection and normal filename acceptance for saveLocalBuffer.
api/server/services/Files/Code/process.js Sanitizes code artifact names via sanitizeFilename before persisting outputs.
api/server/services/Files/Code/tests/process-traversal.spec.js Adds tests asserting sanitizeFilename usage and that traversal inputs don’t reach storage unsanitized.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

Comment thread api/server/services/Files/Local/crud.js Outdated
Comment thread api/server/services/Files/Local/__tests__/crud-traversal.spec.js
@danny-avila danny-avila changed the title fix: sanitize artifact filenames in code output 🧹 fix: Sanitize Artifact Filenames n Code Execution Output Mar 14, 2026
@danny-avila danny-avila changed the title 🧹 fix: Sanitize Artifact Filenames n Code Execution Output 🧹 fix: Sanitize Artifact Filenames in Code Execution Output Mar 14, 2026
@danny-avila
danny-avila force-pushed the fix/sec-code-traversal branch from 5bb6ec2 to 883d35c Compare March 14, 2026 06:57
… original filename

- Added a mock implementation for the `sanitizeFilename` function in the `process.spec.js` test file to return the original filename, ensuring that tests can run without altering the filename during the testing process.
…dd security logging

- Replace startsWith with path.relative pattern in saveLocalBuffer, consistent
  with deleteLocalFile and getLocalFileStream in the same file
- Hoist sanitizeFilename call before the image/non-image branch so both code
  paths store the sanitized name in MongoDB
- Log a warning when sanitizeFilename mutates a filename (potential traversal)
- Log a specific warning when saveLocalBuffer throws a traversal error, so
  security events are distinguishable from generic network errors in the catch
- Remove partial sanitizeFilename reimplementation from process-traversal tests;
  use controlled mock returns to verify processCodeOutput wiring instead
- Add test for image branch sanitization
- Use mkdtempSync for test isolation in crud-traversal to avoid parallel worker
  collisions
- Add prefix-collision bypass test case (../user10/evil vs user1 directory)
Pre-existing startsWith check without path separator had the same class
of prefix-collision vulnerability fixed in saveLocalBuffer.
@danny-avila
danny-avila force-pushed the fix/sec-code-traversal branch from 883d35c to 77bfceb Compare March 14, 2026 07:03
@danny-avila
danny-avila merged commit f67bbb2 into dev Mar 14, 2026
9 checks passed
@danny-avila
danny-avila deleted the fix/sec-code-traversal branch March 14, 2026 07:09
jcbartle pushed a commit to jcbartle/LibreChat that referenced this pull request May 11, 2026
…ila#12222)

* fix: sanitize artifact filenames to prevent path traversal in code output

* test: Mock sanitizeFilename function in process.spec.js to return the original filename

- Added a mock implementation for the `sanitizeFilename` function in the `process.spec.js` test file to return the original filename, ensuring that tests can run without altering the filename during the testing process.

* fix: use path.relative for traversal check, sanitize all filenames, add security logging

- Replace startsWith with path.relative pattern in saveLocalBuffer, consistent
  with deleteLocalFile and getLocalFileStream in the same file
- Hoist sanitizeFilename call before the image/non-image branch so both code
  paths store the sanitized name in MongoDB
- Log a warning when sanitizeFilename mutates a filename (potential traversal)
- Log a specific warning when saveLocalBuffer throws a traversal error, so
  security events are distinguishable from generic network errors in the catch

* test: improve traversal test coverage and remove mock reimplementation

- Remove partial sanitizeFilename reimplementation from process-traversal tests;
  use controlled mock returns to verify processCodeOutput wiring instead
- Add test for image branch sanitization
- Use mkdtempSync for test isolation in crud-traversal to avoid parallel worker
  collisions
- Add prefix-collision bypass test case (../user10/evil vs user1 directory)

* fix: use path.relative in isValidPath to prevent prefix-collision bypass

Pre-existing startsWith check without path separator had the same class
of prefix-collision vulnerability fixed in saveLocalBuffer.
ThomasVuNguyen pushed a commit to ThomasVuNguyen/LibreChat that referenced this pull request Jul 15, 2026
…ila#12222)

* fix: sanitize artifact filenames to prevent path traversal in code output

* test: Mock sanitizeFilename function in process.spec.js to return the original filename

- Added a mock implementation for the `sanitizeFilename` function in the `process.spec.js` test file to return the original filename, ensuring that tests can run without altering the filename during the testing process.

* fix: use path.relative for traversal check, sanitize all filenames, add security logging

- Replace startsWith with path.relative pattern in saveLocalBuffer, consistent
  with deleteLocalFile and getLocalFileStream in the same file
- Hoist sanitizeFilename call before the image/non-image branch so both code
  paths store the sanitized name in MongoDB
- Log a warning when sanitizeFilename mutates a filename (potential traversal)
- Log a specific warning when saveLocalBuffer throws a traversal error, so
  security events are distinguishable from generic network errors in the catch

* test: improve traversal test coverage and remove mock reimplementation

- Remove partial sanitizeFilename reimplementation from process-traversal tests;
  use controlled mock returns to verify processCodeOutput wiring instead
- Add test for image branch sanitization
- Use mkdtempSync for test isolation in crud-traversal to avoid parallel worker
  collisions
- Add prefix-collision bypass test case (../user10/evil vs user1 directory)

* fix: use path.relative in isValidPath to prevent prefix-collision bypass

Pre-existing startsWith check without path separator had the same class
of prefix-collision vulnerability fixed in saveLocalBuffer.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants