Skip to content

[HOTFIX] Validate request path in raw API endpoint (CVE-2025-53908) #2086

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 16, 2025
Merged

[HOTFIX] Validate request path in raw API endpoint (CVE-2025-53908) #2086

merged 1 commit into from
Jul 16, 2025
+47 −5

Conversation

gantoine
Copy link
Member

@gantoine gantoine commented Jul 16, 2025
edited
Loading

Description
Explain the changes or enhancements you are proposing with this pull request.

  • Added proper input validation and sanitization to prevent directory traversal attacks
  • Implemented path normalization checks in the raw file serving endpoint

Checklist
Please check all that apply.

  • I've tested the changes locally
  • I've updated relevant comments
  • I've assigned reviewers for this PR
  • I've added unit tests that cover the changes

Screenshots

@gantoine gantoine requested a review from Copilot July 16, 2025 03:37
@trunk-io Trunk.io
Copy link

trunk-io bot commented Jul 16, 2025

Running Code Quality on PRs by uploading data to Trunk will soon be removed. You can still run checks on your PRs using trunk-action - see the migration guide for more information.

Copilot

This comment was marked as outdated.

Sign in to view

@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 16, 2025
edited
Loading

Test Results

92 tests   92 ✅  28s ⏱️
 1 suites   0 💤
 1 files     0 ❌

Results for commit baa1a97.

♻️ This comment has been updated with latest results.

@gantoine gantoine force-pushed the hotfix-raw-endpoint-save-download-release branch from 0e7958c to 2076cc7 Compare July 16, 2025 03:44
@gantoine gantoine force-pushed the hotfix-raw-endpoint-save-download-release branch from 2076cc7 to baa1a97 Compare July 16, 2025 03:46
@gantoine gantoine requested a review from Copilot July 16, 2025 03:48
Copilot

This comment was marked as resolved.

Sign in to view

@gantoine gantoine merged commit 97373a7 into release Jul 16, 2025
9 checks passed
@gantoine gantoine deleted the hotfix-raw-endpoint-save-download-release branch July 16, 2025 03:51
@gantoine gantoine changed the title [HOTFIX] Fix downloading saves from asset endpoint [HOTFIX] Validate request path in raw API endpoint (CVE-2025-53908) Jul 16, 2025
@zurdi15 zurdi15 mentioned this pull request Jul 21, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@gantoine