From 33100d9efca119b100964a4e187db5be53bd6bb0 Mon Sep 17 00:00:00 2001
From: posimai <posimai.project@gmail.com>
Date: Fri, 24 Apr 2026 20:48:06 +0900
Subject: [PATCH] =?UTF-8?q?security(posimai-dev):=20=E3=82=BB=E3=83=83?=
 =?UTF-8?q?=E3=82=B7=E3=83=A7=E3=83=B3=20API=20=E3=83=91=E3=82=B9=E3=83=88?=
 =?UTF-8?q?=E3=83=A9=E3=83=90=E3=83=BC=E3=82=B5=E3=83=AB=E4=BF=AE=E6=AD=A3?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

/api/sessions/:id で path.join 後に SESSIONS_DIR 外への逸脱を検証。
正常な ID（UUID 等）には影響なし。requireLocal により localhost/Tailscale 限定だが念のため多層防御。
---
 posimai-dev/server.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/posimai-dev/server.js b/posimai-dev/server.js
index 84106243..99b5d85f 100644
--- a/posimai-dev/server.js
+++ b/posimai-dev/server.js
@@ -73,6 +73,7 @@ app.get('/api/sessions', requireLocal, (req, res) => {
 // セッション内容 API
 app.get('/api/sessions/:id', requireLocal, (req, res) => {
   const file = path.join(SESSIONS_DIR, req.params.id + '.log');
+  if (!file.startsWith(SESSIONS_DIR + path.sep)) return res.status(400).json({ error: 'invalid' });
   if (!fs.existsSync(file)) return res.status(404).json({ error: 'not found' });
   res.type('text/plain').send(fs.readFileSync(file, 'utf8'));
 });