From 5dda42a49fcbb8f3e2dc9ccc07cdf069d1753342 Mon Sep 17 00:00:00 2001
From: robo7 <robo781@users.noreply.github.com>
Date: Sat, 14 Mar 2026 00:11:52 +0800
Subject: [PATCH] fix: enforce archive path containment when sessions dir is
 missing

Use path.resolve(sessionsDir) as fallback when realpathSync fails,
ensuring the traversal guard stays active even for nonexistent agent
directories. Previously the guard was skipped entirely.
---
 src/gateway/server-methods/usage.ts | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/gateway/server-methods/usage.ts b/src/gateway/server-methods/usage.ts
index e530029a647..865ab231d7e 100644
--- a/src/gateway/server-methods/usage.ts
+++ b/src/gateway/server-methods/usage.ts
@@ -90,13 +90,12 @@ function resolveSessionUsageFileOrRespond(
     try {
       realSessionsDir = fs.realpathSync(sessionsDir);
     } catch {
-      // Sessions directory doesn't exist for this agent — no archived file possible
-      // Fall through to normal resolution
-      realSessionsDir = "";
+      // Sessions directory doesn't exist — use path.resolve as fallback base
+      // to still enforce containment against traversal attacks
+      realSessionsDir = path.resolve(sessionsDir);
     }
     const realSessionFile = path.resolve(sessionFile);
     if (
-      realSessionsDir &&
       !realSessionFile.startsWith(realSessionsDir + path.sep) &&
       realSessionFile !== realSessionsDir
     ) {