[PR #2905] [MERGED] Normalize paths on files uploaded to prevent arbitrary file writes #4171

Closed
opened 2026-02-22 18:35:17 -05:00 by yindo · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/Mintplex-Labs/anything-llm/pull/2905
Author: @shatfield4
Created: 12/26/2024
Status: Merged
Merged: 12/30/2024
Merged by: @timothycarambat

Base: masterHead: patch-arbitrary-file-write


📝 Commits (3)

  • cdb242f normalize paths on files uploaded to prevent arbitrary file writes
  • 89105c4 force normalize path in string parse
  • fa75ad8 Merge branch 'master' into patch-arbitrary-file-write

📊 Changes

1 file changed (+9 additions, -5 deletions)

View changed files

📝 server/utils/files/multer.js (+9 -5)

📄 Description

Pull Request Type

  • feat
  • 🐛 fix
  • ♻️ refactor
  • 💄 style
  • 🔨 chore
  • 📝 docs

Relevant Issues

resolves #xxx

What is in this change?

  • Patch a bug that would allow for arbitrary file writes using maliciously named files uploaded
  • Patched by using the normalizePath method to ensure we escape all malicious file names

Additional Information

Developer Validations

  • I ran yarn lint from the root of the repo & committed changes
  • Relevant documentation has been updated
  • I have tested my code functionality
  • Docker build succeeds locally

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/Mintplex-Labs/anything-llm/pull/2905 **Author:** [@shatfield4](https://github.com/shatfield4) **Created:** 12/26/2024 **Status:** ✅ Merged **Merged:** 12/30/2024 **Merged by:** [@timothycarambat](https://github.com/timothycarambat) **Base:** `master` ← **Head:** `patch-arbitrary-file-write` --- ### 📝 Commits (3) - [`cdb242f`](https://github.com/Mintplex-Labs/anything-llm/commit/cdb242fc35ff5cc9b53183364e0f25284a57b11a) normalize paths on files uploaded to prevent arbitrary file writes - [`89105c4`](https://github.com/Mintplex-Labs/anything-llm/commit/89105c44b7a24ab83a2eebabf0b0cc0b096ed4c9) force normalize path in string parse - [`fa75ad8`](https://github.com/Mintplex-Labs/anything-llm/commit/fa75ad8b520715718091e3c0832013707f502fb3) Merge branch 'master' into patch-arbitrary-file-write ### 📊 Changes **1 file changed** (+9 additions, -5 deletions) <details> <summary>View changed files</summary> 📝 `server/utils/files/multer.js` (+9 -5) </details> ### 📄 Description ### Pull Request Type <!-- For change type, change [ ] to [x]. --> - [ ] ✨ feat - [x] 🐛 fix - [ ] ♻️ refactor - [ ] 💄 style - [ ] 🔨 chore - [ ] 📝 docs ### Relevant Issues <!-- Use "resolves #xxx" to auto resolve on merge. Otherwise, please use "connect #xxx" --> resolves #xxx ### What is in this change? <!-- Describe the changes in this PR that are impactful to the repo. --> - Patch a bug that would allow for arbitrary file writes using maliciously named files uploaded - Patched by using the `normalizePath` method to ensure we escape all malicious file names ### Additional Information <!-- Add any other context about the Pull Request here that was not captured above. --> ### Developer Validations <!-- All of the applicable items should be checked. --> - [x] I ran `yarn lint` from the root of the repo & committed changes - [x] Relevant documentation has been updated - [x] I have tested my code functionality - [x] Docker build succeeds locally --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
yindo added the pull-request label 2026-02-22 18:35:17 -05:00
yindo closed this issue 2026-02-22 18:35:17 -05:00
yindo changed title from [PR #2905] Normalize paths on files uploaded to prevent arbitrary file writes to [PR #2905] [MERGED] Normalize paths on files uploaded to prevent arbitrary file writes 2026-06-05 15:17:12 -04:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Mintplex-Labs/anything-llm#4171