fix: enforce archive path containment when sessions dir is missing

Use path.resolve(sessionsDir) as fallback when realpathSync fails, ensuring the traversal guard stays active even for nonexistent agent directories. Previously the guard was skipped entirely.
2026-03-14 00:11:52 +08:00 · 2026-03-14 00:11:52 +08:00 · 5dda42a49f
commit 5dda42a49f
parent 038186e30d
1 changed files with 3 additions and 4 deletions
--- a/src/gateway/server-methods/usage.ts
+++ b/src/gateway/server-methods/usage.ts
@ -90,13 +90,12 @@ function resolveSessionUsageFileOrRespond(
    try {
      realSessionsDir = fs.realpathSync(sessionsDir);
    } catch {
-      // Sessions directory doesn't exist for this agent — no archived file possible
-      // Fall through to normal resolution
-      realSessionsDir = "";
+      // Sessions directory doesn't exist — use path.resolve as fallback base
+      // to still enforce containment against traversal attacks
+      realSessionsDir = path.resolve(sessionsDir);
    }
    const realSessionFile = path.resolve(sessionFile);
    if (
-      realSessionsDir &&
      !realSessionFile.startsWith(realSessionsDir + path.sep) &&
      realSessionFile !== realSessionsDir
    ) {