Skip to content

fix(fxdk): prevent path traversal in remote resources#3920

Draft
VeinDevTtv wants to merge 1 commit into
citizenfx:masterfrom
VeinDevTtv:fix/path-traversal-fxdk-2209
Draft

fix(fxdk): prevent path traversal in remote resources#3920
VeinDevTtv wants to merge 1 commit into
citizenfx:masterfrom
VeinDevTtv:fix/path-traversal-fxdk-2209

Conversation

@VeinDevTtv
Copy link
Copy Markdown

@VeinDevTtv VeinDevTtv commented Apr 11, 2026

Summary

Fixes the FxDK /vscode-remote-resource path traversal reported in #2209.

The shell backend previously passed the user-controlled path query through getRemoteResourcePath() and directly into res.sendFile(). Since sendFile() accepts absolute paths, a request such as ?path=C:/Windows/win.ini could read files outside the FxDK install.

Changes

  • Resolve and validate the FxCode resource path before serving it.
  • Reject empty resource paths.
  • Reject any resource path that resolves outside sdkRootFXCode using path.relative() and an absolute-path check.
  • Return HTTP 400 for invalid paths instead of passing them to Express sendFile().

This keeps the remote resource endpoint limited to the same SDK root already exposed by /fxcode-static, while blocking arbitrary absolute-path reads and .. traversal out of the FxCode root.

Validation

  • Reviewed the original issue and local path traversal analysis.
  • Verified the committed diff is limited to ext/sdk/resources/sdk-root/shell/src/backend/fxcode/fxcode-service.ts.
  • Checked path-boundary behavior for in-root FxCode paths, sibling-prefix paths, Windows system paths, and .. traversal.

Full package build was not run because this checkout does not have node_modules, and yarn is not installed locally.

@VeinDevTtv
fix(fxdk): prevent path traversal in remote resources
6ff0c04 
Fixes citizenfx#2209

Validate the FxCode remote resource path before passing it to Express sendFile. The previous route trusted the user-controlled path query forwarded through getRemoteResourcePath, allowing arbitrary absolute paths to be served by the shell backend.

The route now rejects empty paths and paths that resolve outside sdkRootFXCode, preventing traversal and absolute-path reads while preserving FxCode resources under the SDK root.
@github-actions github-actions Bot added the triage Needs a preliminary assessment to determine the urgency and required action label Apr 11, 2026
@VeinDevTtv VeinDevTtv marked this pull request as draft April 11, 2026 19:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

triage Needs a preliminary assessment to determine the urgency and required action

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@VeinDevTtv