From 517c6572ef3d22258e0ec5f2b962f5994964359a Mon Sep 17 00:00:00 2001
From: tuanaiseo <tuanaiseo@gmail.com>
Date: Wed, 8 Apr 2026 06:19:37 +0700
Subject: [PATCH] fix(security): path traversal risk in file-reading helper
 methods

Helper methods build file paths by string concatenation (e.g., `open("docs/js/samples/" + id + ".js")`) without sanitizing `id`/`name`. If these values can be influenced externally, attackers may read unintended files via traversal sequences.

Affected files: config.rb

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
---
 config.rb | 33 +++++++++++++++++++++------------
 1 file changed, 21 insertions(+), 12 deletions(-)

diff --git a/config.rb b/config.rb
index dfc8fa99c..75570d174 100644
--- a/config.rb
+++ b/config.rb
@@ -1,21 +1,30 @@
 helpers do
   def js_as_plain(id)
-    f = open("docs/js/samples/" + id + ".js")
-    js = f.read
-    f.close
-    js
+    raise ArgumentError unless id =~ /\A[a-zA-Z0-9_-]+\z/
+
+    base = File.expand_path('docs/js/samples', __dir__)
+    path = File.expand_path("#{id}.js", base)
+    raise ArgumentError unless path.start_with?(base + File::SEPARATOR)
+
+    File.read(path)
   end
   def data_as_plain(name)
-    f = open("docs/data/" + name)
-    data = f.read
-    f.close
-    data
+    raise ArgumentError unless name =~ /\A[a-zA-Z0-9._-]+\z/
+
+    base = File.expand_path('docs/data', __dir__)
+    path = File.expand_path(name, base)
+    raise ArgumentError unless path.start_with?(base + File::SEPARATOR)
+
+    File.read(path)
   end
   def css_as_plain(name)
-    f = open("docs/css/samples/" + name)
-    css = f.read
-    f.close
-    css
+    raise ArgumentError unless name =~ /\A[a-zA-Z0-9._-]+\z/
+
+    base = File.expand_path('docs/css/samples', __dir__)
+    path = File.expand_path(name, base)
+    raise ArgumentError unless path.start_with?(base + File::SEPARATOR)
+
+    File.read(path)
   end
   def get_css_name(path)
     path.gsub('.html', '')