security: fix path traversal vulnerability in conversion API#532
Open
Fluxmux wants to merge 1 commit intoC4illin:mainfrom
Open
security: fix path traversal vulnerability in conversion API#532Fluxmux wants to merge 1 commit intoC4illin:mainfrom
Fluxmux wants to merge 1 commit intoC4illin:mainfrom
Conversation
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Owner
|
Nice catch! Looks good to me |
C4illin
approved these changes
Feb 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
1. Input Validation in
src/pages/convert.tsxAdded a check to ensure the
convertToparameter does not contain path traversal characters (/,\,..). This is the first line of defense, blocking malicious input as soon as it enters the system.2. Robust Filename Construction in
src/converters/main.tsThe original logic used a regex that would match the end of the string if the original file had no extension, allowing the malicious
convertTostring to be appended. I've updated this to handle files without extensions explicitly and safely.Summary by cubic
Blocks path traversal in the conversion API by validating convertTo input and safely building output filenames. Prevents writing files outside the output directory, including for files without extensions.
Written for commit edea7a5. Summary will update on new commits.