fix: block group folder path escapes

2026-02-22 11:36:06 -05:00
parent de64dab3e9
commit c6391cceb1
9 changed files with 186 additions and 25 deletions
--- a/src/index.ts
+++ b/src/index.ts
@@ -3,7 +3,6 @@ import path from 'path';

 import {
  ASSISTANT_NAME,
-  DATA_DIR,
  IDLE_TIMEOUT,
  MAIN_GROUP_FOLDER,
  POLL_INTERVAL,
@@ -33,6 +32,7 @@ import {
  storeMessage,
 } from './db.js';
 import { GroupQueue } from './group-queue.js';
+import { resolveGroupFolderPath } from './group-folder.js';
 import { startIpcWatcher } from './ipc.js';
 import { findChannel, formatMessages, formatOutbound } from './router.js';
 import { startSchedulerLoop } from './task-scheduler.js';
@@ -78,11 +78,21 @@ function saveState(): void {
 }

 function registerGroup(jid: string, group: RegisteredGroup): void {
+  let groupDir: string;
+  try {
+    groupDir = resolveGroupFolderPath(group.folder);
+  } catch (err) {
+    logger.warn(
+      { jid, folder: group.folder, err },
+      'Rejecting group registration with invalid folder',
+    );
+    return;
+  }
+
  registeredGroups[jid] = group;
  setRegisteredGroup(jid, group);

  // Create group folder
-  const groupDir = path.join(DATA_DIR, '..', 'groups', group.folder);
  fs.mkdirSync(path.join(groupDir, 'logs'), { recursive: true });

  logger.info(