11import { existsSync } from 'fs'
2- import { join , resolve , sep } from 'path'
2+ import path from 'path'
33import { createLogger } from '@sim/logger'
44import { NextResponse } from 'next/server'
55import { UPLOAD_DIR } from '@/lib/uploads/config'
@@ -155,7 +155,7 @@ function sanitizeFilename(filename: string): string {
155155 return sanitized
156156 } )
157157
158- return sanitizedSegments . join ( sep )
158+ return sanitizedSegments . join ( path . sep )
159159}
160160
161161export function findLocalFile ( filename : string ) : string | null {
@@ -168,17 +168,18 @@ export function findLocalFile(filename: string): string | null {
168168 }
169169
170170 const possiblePaths = [
171- join ( UPLOAD_DIR , sanitizedFilename ) ,
172- join ( process . cwd ( ) , 'uploads' , sanitizedFilename ) ,
171+ path . join ( UPLOAD_DIR , sanitizedFilename ) ,
172+ path . join ( process . cwd ( ) , 'uploads' , sanitizedFilename ) ,
173173 ]
174174
175- for ( const path of possiblePaths ) {
176- const resolvedPath = resolve ( path )
177- const allowedDirs = [ resolve ( UPLOAD_DIR ) , resolve ( process . cwd ( ) , 'uploads' ) ]
175+ for ( const filePath of possiblePaths ) {
176+ const resolvedPath = path . resolve ( filePath )
177+ const allowedDirs = [ path . resolve ( UPLOAD_DIR ) , path . resolve ( process . cwd ( ) , 'uploads' ) ]
178178
179179 // Must be within allowed directory but NOT the directory itself
180180 const isWithinAllowedDir = allowedDirs . some (
181- ( allowedDir ) => resolvedPath . startsWith ( allowedDir + sep ) && resolvedPath !== allowedDir
181+ ( allowedDir ) =>
182+ resolvedPath . startsWith ( allowedDir + path . sep ) && resolvedPath !== allowedDir
182183 )
183184
184185 if ( ! isWithinAllowedDir ) {
0 commit comments