viktor/beadboard
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: address critical security and stability issues

Browse source 
- Fix path traversal vulnerabilities in API route validation functions
- Fix path traversal in readiness-report.mjs artifact validation
- Add file locking to prevent race conditions in agent-reservations.ts
- Fix event ordering in ActivityEventBus by capturing snapshot before modification
- Fix memory leaks in watcher.ts by explicitly removing chokidar listeners
- Add command injection sanitization in mutations.ts

Co-authored-by: openhands <openhands@all-hands.dev>
This commit is contained in:
openhands 2026-02-14 16:36:27 +00:00
parent 850335661d
commit e46062b4f5
9 changed files with 130 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

11
src/app/api/activity/route.ts
View file

@ -5,7 +5,16 @@ import { activityEventBus } from '../../../lib/realtime';
function isValidProjectRoot(root: string): boolean {
try {
const resolved = path.resolve(root);
return path.isAbsolute(resolved);
if (!path.isAbsolute(resolved)) {
return false;
}
// Prevent path traversal by ensuring resolved path doesn't escape the project
const normalized = path.normalize(resolved);
// Check that the path doesn't contain traversal patterns
if (normalized.includes('..') || path.sep !== '/' && normalized.includes('..\\')) {
return false;
}
return true;
} catch {
return false;
}

11
src/app/api/agents/[agentId]/stats/route.ts
View file

@ -7,7 +7,16 @@ import { getAgentMetrics } from '../../../../../lib/agent-sessions';
function isValidProjectRoot(root: string): boolean {
try {
const resolved = path.resolve(root);
return path.isAbsolute(resolved);
if (!path.isAbsolute(resolved)) {
return false;
}
// Prevent path traversal by ensuring resolved path doesn't escape the project
const normalized = path.normalize(resolved);
// Check that the path doesn't contain traversal patterns
if (normalized.includes('..') || path.sep !== '/' && normalized.includes('..\\')) {
return false;
}
return true;
} catch {
return false;
}

11
src/app/api/beads/read/route.ts
View file

@ -5,7 +5,16 @@ import { readIssuesFromDisk } from '../../../../lib/read-issues';
function isValidProjectRoot(root: string): boolean {
try {
const resolved = path.resolve(root);
return path.isAbsolute(resolved);
if (!path.isAbsolute(resolved)) {
return false;
}
// Prevent path traversal by ensuring resolved path doesn't escape the project
const normalized = path.normalize(resolved);
// Check that the path doesn't contain traversal patterns
if (normalized.includes('..') || path.sep !== '/' && normalized.includes('..\\')) {
return false;
}
return true;
} catch {
return false;
}

13
src/app/api/sessions/route.ts
View file

@ -5,11 +5,18 @@ import { activityEventBus } from '../../../lib/realtime';
import { buildSessionTaskFeed, getCommunicationSummary } from '../../../lib/agent-sessions';
function isValidProjectRoot(root: string): boolean {
// Basic validation: path should not contain traversal patterns
// and should resolve to an absolute path
try {
const resolved = path.resolve(root);
return path.isAbsolute(resolved);
if (!path.isAbsolute(resolved)) {
return false;
}
// Prevent path traversal by ensuring resolved path doesn't escape the project
const normalized = path.normalize(resolved);
// Check that the path doesn't contain traversal patterns
if (normalized.includes('..') || path.sep !== '/' && normalized.includes('..\\')) {
return false;
}
return true;
} catch {
return false;
}