From 9c8abfbc83cb7a9256e905c0f81b15ec55de2867 Mon Sep 17 00:00:00 2001
From: tuanaiseo <tuanaiseo@gmail.com>
Date: Sat, 11 Apr 2026 18:12:27 +0700
Subject: [PATCH] fix(security): potential path traversal when saving models to
 dis

`saveModelToDisk` builds the output path via string interpolation (`${modelFolder}/${modelFileName}`) without sanitizing `modelFileName`. If user-controlled, attackers can inject `../` sequences or absolute paths to overwrite unintended files.

Affected files: model_loader.ts

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
---
 discojs-node/src/model_loader.ts | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/discojs-node/src/model_loader.ts b/discojs-node/src/model_loader.ts
index 1da84def0..e4e232417 100644
--- a/discojs-node/src/model_loader.ts
+++ b/discojs-node/src/model_loader.ts
@@ -1,4 +1,5 @@
 import fs from "node:fs/promises";
+import path from "node:path";
 
 import type { models, DataType } from "@epfml/discojs";
 import { serialization } from "@epfml/discojs";
@@ -10,8 +11,20 @@ export async function saveModelToDisk(
 ): Promise<void> {
   const encoded = await serialization.model.encode(model);
 
+  if (
+    path.isAbsolute(modelFileName) ||
+    modelFileName.includes("/") ||
+    modelFileName.includes("\\") ||
+    modelFileName === "." ||
+    modelFileName === ".."
+  ) {
+    throw new Error("Invalid model file name");
+  }
+
+  const modelPath = path.join(modelFolder, modelFileName);
+
   await fs.mkdir(modelFolder, { recursive: true });
-  await fs.writeFile(`${modelFolder}/${modelFileName}`, encoded);
+  await fs.writeFile(modelPath, encoded);
 }
 
 export async function loadModelFromDisk(