Potential fix for code scanning alert no. 312: Uncontrolled data used in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
2026-03-10 16:37:40 +00:00 · 2026-03-06 01:16:52 +01:00
parent ba197cc286
commit 6d4cea0435
1 changed files with 6 additions and 1 deletions
--- a/server/utils/plugin-loader.js
+++ b/server/utils/plugin-loader.js
@@ -146,7 +146,12 @@ export function installPluginFromGit(url) {
    }

    const pluginsDir = getPluginsDir();
-    const targetDir = path.join(pluginsDir, repoName);
+    const targetDir = path.resolve(pluginsDir, repoName);
+
+    // Ensure the resolved target directory stays within the plugins directory
+    if (!targetDir.startsWith(pluginsDir + path.sep)) {
+      return reject(new Error('Invalid plugin directory path'));
+    }

    if (fs.existsSync(targetDir)) {
      return reject(new Error(`Plugin directory "${repoName}" already exists`));