fix(postgres): prevent path traversal attacks with double slashes

claude[bot] · modelorona · web-flow · commit 8b8d8f0a3e29 · 2025-06-18T05:16:42.000Z
- Enhanced validateDatabase function to handle path separator variations
- Added validation for ..// and .// patterns that could bypass security  
- Path normalization prevents attacks using double forward slashes
- Maintains all existing path traversal protections

Co-authored-by: Anguel &lt;modelorona@users.noreply.github.com&gt;
diff --git a/core/src/plugins/postgres/db.go b/core/src/plugins/postgres/db.go
@@ -50,8 +50,14 @@ func validateDatabase(database string) error {
 	}
 	
 	// Check for literal path traversal patterns (both Unix and Windows)
-	if strings.Contains(database, "../") || strings.Contains(database, "..\\") ||
-		strings.Contains(database, "./") || strings.Contains(database, ".\\") {
+	// Normalize the database name to check for all path separator variations
+	normalizedDB := strings.ReplaceAll(database, "\\", "/")
+	normalizedDB = strings.ReplaceAll(normalizedDB, "//", "/") // Handle double slashes
+	
+	if strings.Contains(normalizedDB, "../") || strings.Contains(normalizedDB, "./") ||
+		strings.Contains(database, "../") || strings.Contains(database, "..\\") ||
+		strings.Contains(database, "./") || strings.Contains(database, ".\\") ||
+		strings.Contains(database, "..//") || strings.Contains(database, ".//") {
 		return fmt.Errorf("invalid database name: contains path traversal pattern")
 	}
 	
