viktor/beadboard
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
beadboard/src/app/api/sessions/route.ts
openhands e46062b4f5 fix: address critical security and stability issues 
- Fix path traversal vulnerabilities in API route validation functions
- Fix path traversal in readiness-report.mjs artifact validation
- Add file locking to prevent race conditions in agent-reservations.ts
- Fix event ordering in ActivityEventBus by capturing snapshot before modification
- Fix memory leaks in watcher.ts by explicitly removing chokidar listeners
- Add command injection sanitization in mutations.ts

Co-authored-by: openhands <openhands@all-hands.dev>
2026-02-14 16:36:27 +00:00

60 lines
1.9 KiB
TypeScript
Raw Blame History

import { NextResponse } from 'next/server';
import path from 'node:path';
import { readIssuesFromDisk } from '../../../lib/read-issues';
import { activityEventBus } from '../../../lib/realtime';
import { buildSessionTaskFeed, getCommunicationSummary } from '../../../lib/agent-sessions';
function isValidProjectRoot(root: string): boolean {
try {
const resolved = path.resolve(root);
if (!path.isAbsolute(resolved)) {
return false;
}
// Prevent path traversal by ensuring resolved path doesn't escape the project
const normalized = path.normalize(resolved);
// Check that the path doesn't contain traversal patterns
if (normalized.includes('..') || path.sep !== '/' && normalized.includes('..\\')) {
return false;
}
return true;
} catch {
return false;
}
}
export const dynamic = 'force-dynamic';
export async function GET(request: Request): Promise<Response> {
const url = new URL(request.url);
const projectRootParam = url.searchParams.get('projectRoot');
const projectRoot = projectRootParam ?? process.cwd();
if (projectRootParam && !isValidProjectRoot(projectRoot)) {
return NextResponse.json(
{ ok: false, error: { classification: 'validation', message: 'Invalid projectRoot path' } },
{ status: 400 }
);
}
try {
const issues = await readIssuesFromDisk({ projectRoot, preferBd: true });
const activity = activityEventBus.getHistory(projectRoot);
const communication = await getCommunicationSummary();
const feed = buildSessionTaskFeed(issues, activity, communication);
return NextResponse.json({ ok: true, feed });
} catch (error) {
console.error('[API/Sessions] Failed to load session feed:', error);
return NextResponse.json(
{
ok: false,
error: {
classification: 'internal_error',
message: 'An internal error occurred while loading the session feed.',
},
},
{ status: 500 },
);
}
}
Reference in a new issue View git blame Copy permalink