Harden preview server against path traversal

[baanish]

Motivation

• Prevent potential directory traversal from requests reaching scripts/serve-export.mjs and allowing reads outside the out/ directory.
• Keep the preview server usable for local static previews while removing the risk of serving arbitrary filesystem files.

Description

• Update toFilePath in scripts/serve-export.mjs to safely translate URL paths to filesystem paths.
• Decode URL components with decodeURIComponent and reject malformed encodings.
• Explicitly reject .. path segments and normalize the path using path.posix.normalize.
• Resolve the candidate path with path.resolve(outputDirectory, ...) and enforce containment by checking the resolved path is equal to outputDirectory or starts with ${outputDirectory}${path.sep} before serving.
• Preserve existing behavior of mapping directory requests to index.html and returning 404 for invalid or missing files.

Testing

• Ran node --check scripts/serve-export.mjs which succeeded.
• Performed a preview-server smoke test that started the server and validated that / returned 200 and an encoded traversal attempt /%2e%2e/secret.txt returned 404, demonstrating the traversal is blocked.

---

Codex Task

Summary by CodeRabbit

• Bug Fixes
  • Enhanced path validation and error handling when serving files to ensure more secure and reliable file access.

[cloudflare-workers-and-pages]

Deploying agent-render with    Cloudflare Pages

Latest commit:	be74e98
Status:	✅  Deploy successful!
Preview URL:	https://f9e8053d.agent-render.pages.dev
Branch Preview URL:	https://codex-propose-fix-for-path-t.agent-render.pages.dev

View logs

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e66ecdf0-d26d-40f5-9caf-c5a91ecec997

📥 Commits

Reviewing files that changed from the base of the PR and between 7cab153 and be74e98.

📒 Files selected for processing (1)

• scripts/serve-export.mjs

---

📝 Walkthrough

Walkthrough

Enhanced path validation in the file serving function by adding URL decoding, directory traversal prevention, path normalization, and containment checks to ensure resolved paths remain within the designated output directory.

Changes

Cohort / File(s)	Summary
Path Validation Enhancement scripts/serve-export.mjs	Added URL decoding with error handling, directory traversal prevention via ".." rejection, path normalization and resolution, and containment verification to ensure resolved paths stay within the output directory while preserving existing directory index behavior.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 Beware the path that wanders wide,
With ".." segments lurking inside!
We decode and check with cautious care,
Keeping all files safe within our lair. 🛡️✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Harden preview server against path traversal' directly and clearly summarizes the main security improvement in the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch codex/propose-fix-for-path-traversal-vulnerability

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (1 files)

• scripts/serve-export.mjs - Path traversal vulnerability fix

---

Security Fix Analysis

This PR correctly addresses a path traversal vulnerability in the static export server (scripts/serve-export.mjs). The fix implements multiple defensive layers:

1. URL decoding (line 55): Handles URL-encoded path traversal attempts like %2e%2e
2. Segment validation (line 60): Checks for .. as a standalone path segment
3. Path normalization (line 64): Uses path.posix.normalize() for consistent behavior
4. Directory containment check (lines 66-71): Ensures the resolved path stays within the output directory

The implementation correctly uses path.resolve() instead of path.join() to resolve the path and then validates it's within the output directory bounds. This prevents attacks like /etc/passwd or ../../etc/passwd.

No issues found with this security fix.