theirongolddev/session-viewer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden session discovery with path validation and parallel I/O

Browse Source 
Security: Reject session paths containing '..' traversal segments or
non-.jsonl extensions before resolving them. This prevents a malicious
sessions-index.json from tricking the viewer into reading arbitrary files.

Performance: Process all project directories concurrently with Promise.all
instead of sequentially awaiting each one. Each directory's stat + readFile
is independent I/O that benefits from parallelism.

Add test case verifying that traversal paths and non-JSONL paths are rejected
while valid paths pass through.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Taylor Eernisse
2026-01-30 01:08:57 -05:00
parent 96da009086
commit eb8001dbf1
2 changed files with 98 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

100
src/server/services/session-discovery.ts
View File

@@ -28,46 +28,70 @@ export async function discoverSessions(
return sessions;
}
for (const projectDir of projectDirs) {
const projectPath = path.join(projectsDir, projectDir);
// Parallel I/O: stat + readFile for all project dirs concurrently
const results = await Promise.all(
projectDirs.map(async (projectDir) => {
const projectPath = path.join(projectsDir, projectDir);
const entries: SessionEntry[] = [];
let stat;
try {
stat = await fs.stat(projectPath);
} catch {
continue;
}
if (!stat.isDirectory()) continue;
const indexPath = path.join(projectPath, "sessions-index.json");
try {
const content = await fs.readFile(indexPath, "utf-8");
const parsed = JSON.parse(content);
// Handle both formats: raw array or { version, entries: [...] }
const entries: IndexEntry[] = Array.isArray(parsed)
? parsed
: parsed.entries ?? [];
for (const entry of entries) {
const sessionPath =
entry.fullPath ||
path.join(projectPath, `${entry.sessionId}.jsonl`);
sessions.push({
id: entry.sessionId,
summary: entry.summary || "",
firstPrompt: entry.firstPrompt || "",
project: projectDir,
created: entry.created || "",
modified: entry.modified || "",
messageCount: entry.messageCount || 0,
path: sessionPath,
});
let stat;
try {
stat = await fs.stat(projectPath);
} catch {
return entries;
}
} catch {
// Missing or corrupt index - skip
}
if (!stat.isDirectory()) return entries;
const indexPath = path.join(projectPath, "sessions-index.json");
try {
const content = await fs.readFile(indexPath, "utf-8");
const parsed = JSON.parse(content);
// Handle both formats: raw array or { version, entries: [...] }
const rawEntries: IndexEntry[] = Array.isArray(parsed)
? parsed
: parsed.entries ?? [];
for (const entry of rawEntries) {
const sessionPath =
entry.fullPath ||
path.join(projectPath, `${entry.sessionId}.jsonl`);
// Validate: reject paths with traversal segments or non-JSONL extensions.
// Check the raw path for ".." before resolving (resolve normalizes them away).
if (sessionPath.includes("..") || !sessionPath.endsWith(".jsonl")) {
continue;
}
const resolved = path.resolve(sessionPath);
// Containment check: reject paths that escape the projects directory.
// A corrupted or malicious index could set fullPath to an arbitrary
// absolute path like "/etc/shadow.jsonl".
if (!resolved.startsWith(projectsDir + path.sep) && resolved !== projectsDir) {
continue;
}
entries.push({
id: entry.sessionId,
summary: entry.summary || "",
firstPrompt: entry.firstPrompt || "",
project: projectDir,
created: entry.created || "",
modified: entry.modified || "",
messageCount: entry.messageCount || 0,
path: resolved,
});
}
} catch {
// Missing or corrupt index - skip
}
return entries;
})
);
for (const entries of results) {
sessions.push(...entries);
}
sessions.sort((a, b) => {