Skip to content

Security: Insecure Direct Object Reference in Template Loading#824

Merged
aeifn merged 1 commit into
PastVu:mainfrom
tomaioo:fix/security/insecure-direct-object-reference-in-temp
Jul 6, 2026
Merged

Security: Insecure Direct Object Reference in Template Loading#824
aeifn merged 1 commit into
PastVu:mainfrom
tomaioo:fix/security/insecure-direct-object-reference-in-temp

Conversation

@tomaioo

@tomaioo tomaioo commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Summary

Security: Insecure Direct Object Reference in Template Loading

Problem

Severity: Medium | File: controllers/tpl.js:L17

The controllers/tpl.js file loads templates based on user-provided path parameters. While it does check against a whitelist (tpls.includes(tplPath)), the path construction uses string concatenation ('module/' + tplPath) which could potentially be bypassed if the whitelist check has flaws or if path traversal sequences are somehow processed.

Solution

Use path.join with proper normalization, ensure strict path validation against an allowlist, and consider using a more robust template resolution mechanism that doesn't rely on user-provided path granularity.

Changes

  • controllers/tpl.js (modified)

The `controllers/tpl.js` file loads templates based on user-provided path parameters. While it does check against a whitelist (`tpls.includes(tplPath)`), the path construction uses string concatenation (`'module/' + tplPath`) which could potentially be bypassed if the whitelist check has flaws or if path traversal sequences are somehow processed.

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
@aeifn aeifn self-requested a review July 6, 2026 12:56
@aeifn aeifn merged commit fd97380 into PastVu:main Jul 6, 2026
1 of 2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants