fix(postgres): prevent Windows path traversal attacks in database names

claude[bot] · modelorona · web-flow · commit 5542fa1b4031 · 2025-06-18T04:22:57.000Z
Add validation for Windows-specific path traversal patterns (`./` and `.\`) 
to prevent directory traversal attacks on Windows systems. This addresses
the security vulnerability where database names could contain current
directory references to access unauthorized paths.

Co-authored-by: Anguel &lt;modelorona@users.noreply.github.com&gt;
diff --git a/core/src/plugins/postgres/db.go b/core/src/plugins/postgres/db.go
@@ -49,8 +49,9 @@ func validateDatabase(database string) error {
 		return fmt.Errorf("invalid database name: contains URL-encoded forward slash")
 	}
 	
-	// Check for literal path traversal patterns
-	if strings.Contains(database, "../") || strings.Contains(database, "..\\") {
+	// Check for literal path traversal patterns (both Unix and Windows)
+	if strings.Contains(database, "../") || strings.Contains(database, "..\\") ||
+		strings.Contains(database, "./") || strings.Contains(database, ".\\") {
 		return fmt.Errorf("invalid database name: contains path traversal pattern")
 	}
 	

Original file line number	Diff line number	Diff line change
`@@ -49,8 +49,9 @@ func validateDatabase(database string) error {`
`49`	`49`	`return fmt.Errorf("invalid database name: contains URL-encoded forward slash")`
`50`	`50`	`}`
`51`	`51`
`52`		`- // Check for literal path traversal patterns`
`53`		`- if strings.Contains(database, "../") \|\| strings.Contains(database, "..\\") {`
	`52`	`+ // Check for literal path traversal patterns (both Unix and Windows)`
	`53`	`+ if strings.Contains(database, "../") \|\| strings.Contains(database, "..\\") \|\|`
	`54`	`+ strings.Contains(database, "./") \|\| strings.Contains(database, ".\\") {`
`54`	`55`	`return fmt.Errorf("invalid database name: contains path traversal pattern")`
`55`	`56`	`}`
`56`	`57`