Patch path traversal in move-files that can be used by `administrator…

…` level attacker only

frontend/src/components/WorkspaceChat/ChatContainer/ChatHistory/HistoricalMessage/index.jsx

@@ -98,7 +98,7 @@ const HistoricalMessage = ({
               saveChanges={saveEditedMessage}
             />
           ) : (
-            <div className={'overflow-x-scroll break-words'}>
+            <div className={"overflow-x-scroll break-words"}>
               <span
                 className={`flex flex-col gap-y-1`}
                 dangerouslySetInnerHTML={{

package.json

@@ -10,7 +10,7 @@
     "node": ">=18"
   },
   "scripts": {
-    "lint": "cd server && yarn lint && cd ../frontend && yarn lint && cd ../embed && yarn lint && cd ../collector && yarn lint",
+    "lint": "cd server && yarn lint && cd ../frontend && yarn lint && cd ../collector && yarn lint",
     "setup": "cd server && yarn && cd ../collector && yarn && cd ../frontend && yarn && cd .. && yarn setup:envs && yarn prisma:setup && echo \"Please run yarn dev:server, yarn dev:collector, and yarn dev:frontend in separate terminal tabs.\"",
     "setup:envs": "cp -n ./frontend/.env.example ./frontend/.env && cp -n ./server/.env.example ./server/.env.development && cp -n ./collector/.env.example ./collector/.env && cp -n ./docker/.env.example ./docker/.env && echo \"All ENV files copied!\n\"",
     "dev:server": "cd server && yarn dev",

server/endpoints/api/document/index.js

@@ -686,6 +686,12 @@ function apiDocumentEndpoints(app) {
           const sourcePath = path.join(documentsPath, normalizePath(from));
           const destinationPath = path.join(documentsPath, normalizePath(to));
           return new Promise((resolve, reject) => {
+            if (
+              !isWithin(documentsPath, sourcePath) ||
+              !isWithin(documentsPath, destinationPath)
+            )
+              return reject("Invalid file location");
+
             fs.rename(sourcePath, destinationPath, (err) => {
               if (err) {
                 console.error(`Error moving file ${from} to ${to}:`, err);

server/endpoints/document.js

@@ -60,6 +60,12 @@ function documentEndpoints(app) {
           const destinationPath = path.join(documentsPath, normalizePath(to));
 
           return new Promise((resolve, reject) => {
+            if (
+              !isWithin(documentsPath, sourcePath) ||
+              !isWithin(documentsPath, destinationPath)
+            )
+              return reject("Invalid file location");
+
             fs.rename(sourcePath, destinationPath, (err) => {
               if (err) {
                 console.error(`Error moving file ${from} to ${to}:`, err);

server/models/browserExtensionApiKey.js

@@ -88,9 +88,9 @@ const BrowserExtensionApiKey = {
 
   /**
    * Gets browser keys by params
-   * @param {object} clause 
-   * @param {number|null} limit 
-   * @param {object|null} orderBy 
+   * @param {object} clause
+   * @param {number|null} limit
+   * @param {object|null} orderBy
    * @returns {Promise<import("@prisma/client").browser_extension_api_keys[]>}
    */
   where: async function (clause = {}, limit = null, orderBy = null) {
@@ -111,9 +111,9 @@ const BrowserExtensionApiKey = {
   /**
    * Get browser API keys for user
    * @param {import("@prisma/client").users} user
-   * @param {object} clause 
-   * @param {number|null} limit 
-   * @param {object|null} orderBy 
+   * @param {object} clause
+   * @param {number|null} limit
+   * @param {object|null} orderBy
    * @returns {Promise<import("@prisma/client").browser_extension_api_keys[]>}
    */
   whereWithUser: async function (