fix: use CodeQL-recognized containment check for image reads

Replace the path.relative guard in isPathInsideDirectory with the
resolve + startsWith(root + sep) idiom so the path-injection barrier
is visible to code scanning; behavior is unchanged.
This commit is contained in:
Haileyesus
2026-07-06 21:37:15 +03:00
parent 417fe11718
commit 98e6cf2ba9

View File

@@ -91,8 +91,12 @@ export function resolveImageAbsolutePath(cwd: string | undefined, imagePath: str
}
function isPathInsideDirectory(candidate: string, directory: string): boolean {
const relative = path.relative(path.resolve(directory), candidate);
return relative.length > 0 && !relative.startsWith('..') && !path.isAbsolute(relative);
// resolve + startsWith(root + separator) is the containment idiom CodeQL
// recognizes as a path-injection barrier, and matches the check used by
// resolveImageAssetFile in the assets module. The root itself never
// matches (no trailing separator after resolve), only entries below it.
const resolvedRoot = path.resolve(directory) + path.sep;
return path.resolve(candidate).startsWith(resolvedRoot);
}
/**