MindWorkAI/AI-Studio
MindWorkAI/AI-Studio
1
0
Fork 0
mirror of https://github.com/MindWorkAI/AI-Studio.git synced 2026-06-27 19:16:27 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Added explicit validation for '..' path segments

Browse Source
This commit is contained in:
Thorsten Sommer 2026-05-22 15:44:51 +02:00
parent 8cc24a27f7
commit 0fc78939b7
Signed by untrusted user who does not match committer: tsommer
GPG Key ID: 371BBA77A02C0108
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
app/MindWork AI Studio/Settings/ChatTemplate.cs
View File

@ -220,6 +220,13 @@ public record ChatTemplate(
var relativePath = filePath var relativePath = filePath
.Replace('/', Path.DirectorySeparatorChar) .Replace('/', Path.DirectorySeparatorChar)
.Replace('\\', Path.DirectorySeparatorChar); .Replace('\\', Path.DirectorySeparatorChar);
if (relativePath.Split(Path.DirectorySeparatorChar, StringSplitOptions.RemoveEmptyEntries).Any(segment => segment == ".."))
{
LOGGER.LogWarning("The relative FileAttachments entry {AttachmentNum} in chat template {IdxChatTemplate} contains '..' path segments and will be ignored.", attachmentNum, idx);
return false;
}
var combinedPath = Path.GetFullPath(Path.Combine(pluginRoot, relativePath)); var combinedPath = Path.GetFullPath(Path.Combine(pluginRoot, relativePath));
var pluginRootWithSeparator = pluginRoot.EndsWith(Path.DirectorySeparatorChar) var pluginRootWithSeparator = pluginRoot.EndsWith(Path.DirectorySeparatorChar)
? pluginRoot ? pluginRoot