From 74a5ec87baad2c107267bd8c75dab5f6c77db10a Mon Sep 17 00:00:00 2001
From: Cursor Agent <cursoragent@cursor.com>
Date: Thu, 15 Jan 2026 02:45:51 +0000
Subject: [PATCH] Fix directory traversal check to allow paths containing '...'

The previous check blocked any path containing '..' anywhere, which caused
false positives for legitimate paths like '[...path]' (Next.js catch-all routes).

The fix splits the path by '/' and only blocks if a segment starts with '..',
which correctly identifies directory traversal attempts while allowing
legitimate filenames that contain '..' within them.

Co-authored-by: michael <michael@sourcebot.dev>
---
 packages/web/src/features/fileTree/api.ts | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/packages/web/src/features/fileTree/api.ts b/packages/web/src/features/fileTree/api.ts
index ed4c7aed..f5efbdbb 100644
--- a/packages/web/src/features/fileTree/api.ts
+++ b/packages/web/src/features/fileTree/api.ts
@@ -93,7 +93,11 @@ export const getFolderContents = async (params: { repoName: string, revisionName
 
         // @note: we don't allow directory traversal
         // or null bytes in the path.
-        if (path.includes('..') || path.includes('\0')) {
+        // We split by '/' and check if any segment starts with '..'
+        // to allow legitimate paths containing '..' (e.g., '[...path]')
+        // while still blocking directory traversal attempts.
+        const pathSegments = path.split('/');
+        if (pathSegments.some(segment => segment.startsWith('..')) || path.includes('\0')) {
             return notFound();
         }