fix(logs): block path traversal in log file download endpoint

enoch85 · enoch85 · commit 8f6550fca367 · 2026-04-28T18:02:11.000Z
The safeLogFileRegex was unanchored, allowing any string containing a
maintainerr-YYYY-MM-DD.log substring to pass validation. Combined with
path.join, an attacker could read arbitrary files via URL-encoded
traversal segments (e.g. maintainerr-2026-01-01.log%2F..%2F..%2Fetc%2Fpasswd).

Anchor the regex and add a defense-in-depth canonical-path check that
rejects symlinks and verifies the resolved path stays inside the logs
directory.
diff --git a/apps/server/src/modules/logging/logs.controller.spec.ts b/apps/server/src/modules/logging/logs.controller.spec.ts
@@ -1,15 +1,58 @@
 import {
   MessageEvent as NestMessageEvent,
+  HttpException,
+  HttpStatus,
   RawBodyRequest,
+  StreamableFile,
 } from '@nestjs/common';
 import { EventEmitter2 } from '@nestjs/event-emitter';
 import { Response } from 'express';
 import { EventEmitter } from 'events';
+import * as fs from 'fs';
+import { lstat, realpath } from 'fs/promises';
 import { IncomingMessage } from 'http';
+import { PassThrough } from 'stream';
 import { createMockLogger } from '../../../test/utils/data';
 import { LogSettingsService } from './logs.service';
 import { LogsController } from './logs.controller';
 
+jest.mock('fs', () => {
+  const actual = jest.requireActual('fs');
+  return {
+    ...actual,
+    createReadStream: jest.fn(),
+    readdir: jest.fn(
+      (
+        _dir: string,
+        callback: (
+          error: NodeJS.ErrnoException | null,
+          files: string[],
+        ) => void,
+      ) => {
+        callback(null, []);
+      },
+    ),
+  };
+});
+
+jest.mock('fs/promises', () => {
+  const actual = jest.requireActual('fs/promises');
+  return {
+    ...actual,
+    lstat: jest.fn(),
+    readdir: jest.fn(),
+    realpath: jest.fn(),
+    stat: jest.fn(),
+  };
+});
+
+const createReadStreamMock = fs.createReadStream as jest.MockedFunction<
+  typeof fs.createReadStream
+>;
+
+const lstatMock = jest.mocked(lstat);
+const realpathMock = jest.mocked(realpath);
+
 class MockSocket extends EventEmitter {
   setKeepAlive = jest.fn();
   setNoDelay = jest.fn();
@@ -40,14 +83,20 @@ const buildRequest = (): RawBodyRequest<IncomingMessage> =>
     socket: new MockSocket(),
   }) as unknown as RawBodyRequest<IncomingMessage>;
 
+const createController = () =>
+  new LogsController(
+    {} as unknown as LogSettingsService,
+    new EventEmitter2(),
+    createMockLogger(),
+  );
+
 describe('LogsController', () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
   it('removes SSE clients when writing a log event to a closed stream fails', async () => {
-    const eventEmitter = new EventEmitter2();
-    const controller = new LogsController(
-      {} as unknown as LogSettingsService,
-      eventEmitter,
-      createMockLogger(),
-    );
+    const controller = createController();
     const response = new MockResponse();
 
     await controller.stream(response as unknown as Response, buildRequest());
@@ -72,4 +121,61 @@ describe('LogsController', () => {
     expect(() => controller.sendDataToClient(clientId, message)).not.toThrow();
     expect(controller.connectedClients.size).toBe(0);
   });
+
+  it('rejects filenames that only contain a valid log filename as a substring', async () => {
+    const controller = createController();
+
+    await controller
+      .getFile('maintainerr-2026-04-28.log.bak')
+      .catch((error: HttpException) => {
+        expect(error.getStatus()).toBe(HttpStatus.BAD_REQUEST);
+        expect(error.message).toBe('Invalid file');
+      });
+
+    expect(lstatMock).not.toHaveBeenCalled();
+    expect(realpathMock).not.toHaveBeenCalled();
+    expect(createReadStreamMock).not.toHaveBeenCalled();
+  });
+
+  it('rejects symlinked log files before opening the stream', async () => {
+    const controller = createController();
+    lstatMock.mockResolvedValue({
+      isFile: () => false,
+      isSymbolicLink: () => true,
+    } as Awaited<ReturnType<typeof lstat>>);
+
+    await controller
+      .getFile('maintainerr-2026-04-28.log')
+      .catch((error: HttpException) => {
+        expect(error.getStatus()).toBe(HttpStatus.BAD_REQUEST);
+        expect(error.message).toBe('Invalid file');
+      });
+
+    expect(realpathMock).not.toHaveBeenCalled();
+    expect(createReadStreamMock).not.toHaveBeenCalled();
+  });
+
+  it('streams regular log files from the resolved canonical path', async () => {
+    const controller = createController();
+    const stream = new PassThrough();
+    lstatMock.mockResolvedValue({
+      isFile: () => true,
+      isSymbolicLink: () => false,
+    } as Awaited<ReturnType<typeof lstat>>);
+    realpathMock
+      .mockResolvedValueOnce('/workspaces/Maintainerr/data/logs')
+      .mockResolvedValueOnce(
+        '/workspaces/Maintainerr/data/logs/maintainerr-2026-04-28.log',
+      );
+    createReadStreamMock.mockReturnValue(
+      stream as unknown as ReturnType<typeof fs.createReadStream>,
+    );
+
+    const response = await controller.getFile('maintainerr-2026-04-28.log');
+
+    expect(response).toBeInstanceOf(StreamableFile);
+    expect(createReadStreamMock).toHaveBeenCalledWith(
+      '/workspaces/Maintainerr/data/logs/maintainerr-2026-04-28.log',
+    );
+  });
 });
diff --git a/apps/server/src/modules/logging/logs.controller.ts b/apps/server/src/modules/logging/logs.controller.ts
@@ -22,7 +22,7 @@ import {
 import { EventEmitter2 } from '@nestjs/event-emitter';
 import { Response } from 'express';
 import { createReadStream, readdir } from 'fs';
-import { readdir as readdirp, stat } from 'fs/promises';
+import { lstat, readdir as readdirp, realpath, stat } from 'fs/promises';
 import { IncomingMessage } from 'http';
 import mime from 'mime-types';
 import { ZodValidationPipe } from 'nestjs-zod';
@@ -51,7 +51,10 @@ const logsDirectory =
     ? '/opt/data/logs'
     : path.join(__dirname, `../../../../../data/logs`);
 
-const safeLogFileRegex = /maintainerr-\d{4}-\d{2}-\d{2}\.log(\.gz)?/;
+const safeLogFileRegex = /^maintainerr-\d{4}-\d{2}-\d{2}\.log(\.gz)?$/;
+
+const isPathInsideDirectory = (directoryPath: string, candidatePath: string) =>
+  candidatePath.startsWith(`${directoryPath}${path.sep}`);
 
 @Controller('/api/logs')
 export class LogsController implements BeforeApplicationShutdown {
@@ -269,8 +272,29 @@ export class LogsController implements BeforeApplicationShutdown {
     }
 
     const filePath = path.join(logsDirectory, file);
-    const fileMimeType = mime.lookup(filePath);
-    const fileStream: Readable = createReadStream(filePath);
+    const fileStats = await lstat(filePath).catch(
+      (error: NodeJS.ErrnoException) => {
+        if (error.code === 'ENOENT') {
+          throw new HttpException('File not found', HttpStatus.NOT_FOUND);
+        }
+
+        throw error;
+      },
+    );
+    if (fileStats.isSymbolicLink() || !fileStats.isFile()) {
+      throw new HttpException('Invalid file', HttpStatus.BAD_REQUEST);
+    }
+
+    const [resolvedDir, resolvedFilePath] = await Promise.all([
+      realpath(logsDirectory),
+      realpath(filePath),
+    ]);
+    if (!isPathInsideDirectory(resolvedDir, resolvedFilePath)) {
+      throw new HttpException('Invalid file', HttpStatus.BAD_REQUEST);
+    }
+
+    const fileMimeType = mime.lookup(resolvedFilePath);
+    const fileStream: Readable = createReadStream(resolvedFilePath);
 
     return new StreamableFile(fileStream, {
       type: fileMimeType !== false ? fileMimeType : 'application/octet-stream',
