mirror of
https://github.com/ChuckBuilds/LEDMatrix.git
synced 2026-04-10 13:02:59 +00:00
f0dc094cd6
* fix(security): use Path.relative_to() for path confinement check Replace str.startswith() path check with Path.relative_to() in the plugin file viewer endpoint. startswith() can be bypassed when a directory name is a prefix of another (e.g., /plugins/foo vs /plugins/foobar). relative_to() correctly validates containment. Co-Authored-By: 5ymb01 <noreply@github.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * chore: trigger CodeRabbit review --------- Co-authored-by: 5ymb01 <5ymb01@users.noreply.github.com> Co-authored-by: 5ymb01 <noreply@github.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>