fix: prevent out-of-workspace-root access for open-in-editor and open-in-file (#255)

arashsheyda · web-flow · commit e4b6d167fa74 · 2026-03-25T09:21:38.000-07:00
diff --git a/packages/core/src/node/__tests__/open-in-editor.test.ts b/packages/core/src/node/__tests__/open-in-editor.test.ts
@@ -0,0 +1,53 @@
+import type { DevToolsNodeContext } from '@vitejs/devtools-kit'
+import { resolve } from 'node:path'
+import { describe, expect, it, vi } from 'vitest'
+import { openInEditor } from '../rpc/public/open-in-editor'
+
+// Mock launch-editor so tests don't actually open files
+vi.mock('launch-editor', () => ({
+  default: vi.fn(),
+}))
+
+describe('openInEditor – path traversal protection', () => {
+  const cwd = resolve('/project/root')
+  const workspaceRoot = resolve('/project')
+  const mockContext = { cwd, workspaceRoot } as DevToolsNodeContext
+
+  async function getHandler() {
+    const setup = openInEditor.setup!
+    const { handler } = await setup(mockContext)
+    expect(handler).toBeTypeOf('function')
+    return handler as (path: string) => Promise<void>
+  }
+
+  it('allows opening a file inside the project root', async () => {
+    const handler = await getHandler()
+    await expect(handler('src/main.ts')).resolves.not.toThrow()
+  })
+
+  it('allows opening a nested file inside the project root', async () => {
+    const handler = await getHandler()
+    await expect(handler('src/utils/helper.ts')).resolves.not.toThrow()
+  })
+
+  it('rejects path traversal with ../', async () => {
+    const handler = await getHandler()
+    await expect(handler('../../etc/passwd')).rejects.toThrow(
+      'Path is outside the workspace root',
+    )
+  })
+
+  it('rejects absolute path outside project root', async () => {
+    const handler = await getHandler()
+    await expect(handler('/etc/passwd')).rejects.toThrow(
+      'Path is outside the workspace root',
+    )
+  })
+
+  it('rejects traversal disguised within a subpath', async () => {
+    const handler = await getHandler()
+    await expect(handler('src/../../secret/file.txt')).rejects.toThrow(
+      'Path is outside the workspace root',
+    )
+  })
+})
diff --git a/packages/core/src/node/rpc/public/open-in-editor.ts b/packages/core/src/node/rpc/public/open-in-editor.ts
@@ -1,12 +1,21 @@
+import { relative, resolve } from 'node:path'
 import { defineRpcFunction } from '@vitejs/devtools-kit'
 
 export const openInEditor = defineRpcFunction({
   name: 'vite:core:open-in-editor',
   type: 'action',
-  setup: () => {
+  setup: (context) => {
     return {
       handler: async (path: string) => {
-        await import('launch-editor').then(r => r.default(path))
+        const resolved = resolve(context.workspaceRoot, path)
+        const rel = relative(context.workspaceRoot, resolved)
+
+        // Prevent escaping the workspace root
+        if (rel.startsWith('..') || rel.includes('\0')) {
+          throw new Error('Path is outside the workspace root')
+        }
+
+        await import('launch-editor').then(r => r.default(resolved))
       },
     }
   },
diff --git a/packages/core/src/node/rpc/public/open-in-finder.ts b/packages/core/src/node/rpc/public/open-in-finder.ts
@@ -1,12 +1,21 @@
+import { relative, resolve } from 'node:path'
 import { defineRpcFunction } from '@vitejs/devtools-kit'
 
 export const openInFinder = defineRpcFunction({
   name: 'vite:core:open-in-finder',
   type: 'action',
-  setup: () => {
+  setup: (context) => {
     return {
       handler: async (path: string) => {
-        await import('open').then(r => r.default(path))
+        const resolved = resolve(context.workspaceRoot, path)
+        const rel = relative(context.workspaceRoot, resolved)
+
+        // Ensure the path stays within workspace root
+        if (rel.startsWith('..') || rel.includes('\0')) {
+          throw new Error('Path is outside the workspace root')
+        }
+
+        await import('open').then(r => r.default(resolved))
       },
     }
   },
