Further add safe resolve in workspace

Author: Shellishack

remote-workspace/src/servers/api-server/platform-api/handler.ts

@@ -4,7 +4,9 @@ import path from "path";
 
 // Define a safe root directory for projects. Can be overridden by env or configured as needed.
 // All incoming URIs will be resolved and validated to ensure they don't escape this root.
-const SAFE_ROOT = path.resolve(process.env.PLATFORM_API_ROOT ?? "/pulse-editor");
+const SAFE_ROOT = path.resolve(
+  process.env.PLATFORM_API_ROOT ?? "/pulse-editor",
+);
 
 const settingsPath = path.join(SAFE_ROOT, "settings.json");
 
@@ -14,14 +16,22 @@ function safeResolve(uri: string): string {
   }
 
   // Resolve the input and the safe root to absolute, normalized paths.
-  const resolved = path.resolve(uri);
-  const root = SAFE_ROOT;
-
-  const relative = path.relative(root, resolved);
+  // Always resolve relative to SAFE_ROOT (do not trust 'uri' alone)
+  const candidate = path.resolve(SAFE_ROOT, uri);
+  let rootReal, candidateReal;
+  try {
+    rootReal = fs.realpathSync(SAFE_ROOT);
+    candidateReal = fs.realpathSync(candidate);
+  } catch (e) {
+    throw new Error("Path does not exist or cannot be accessed");
+  }
 
-  // If the relative path starts with '..' or is absolute, it escapes the SAFE_ROOT.
-  if (relative === "" || (!relative.startsWith("..") && !path.isAbsolute(relative))) {
-    return resolved;
+  // Check that candidateReal is strictly under rootReal (or equal to rootReal)
+  if (
+    candidateReal === rootReal ||
+    candidateReal.startsWith(rootReal + path.sep)
+  ) {
+    return candidateReal;
   }
 
   throw new Error("Can only access paths within the project home directory.");
@@ -131,7 +141,6 @@ export async function handlePlatformAPIRequest(
   }
 }
 
-
 // List all folders in a path
 async function handleListProjects(uri: string) {
   const rootPath = safeResolve(uri);