fix: prevent path traversal in save_text_file

2026-05-22 19:47:15 +00:00 · 2026-04-24 08:53:45 +07:00 · 2026-04-24 08:53:45 +07:00 · 813dfaf375
commit 813dfaf375
parent 3fa8481ba2
1 changed files with 1 additions and 1 deletions
--- a/helpers/file_browser.py
+++ b/helpers/file_browser.py
@ -169,7 +169,7 @@ class FileBrowser:
                raise ValueError("File exceeds 1 MB and cannot be edited")

            full_path = (self.base_dir / file_path).resolve()
-            if not str(full_path).startswith(str(self.base_dir)):
+            if not full_path.is_relative_to(self.base_dir.resolve()):
                raise ValueError("Invalid path")
            if full_path.exists() and full_path.is_dir():
                raise ValueError("Target is a directory")