termbeam 1.19.1 → 1.19.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "termbeam",
-  "version": "1.19.1",
+  "version": "1.19.3",
   "description": "Beam your terminal to any device — mobile-optimized web terminal with multi-session support",
   "main": "src/server/index.js",
   "bin": {

package/src/server/preview.js

@@ -32,10 +32,12 @@ function createPreviewProxy() {
         .json({ error: 'Invalid port: must be an integer between 1 and 65535' });
     }
 
-    // Strip /preview/:port prefix, keep the rest (or default to /)
-    // Express 5 *path returns an array of segments — join them back
-    const segments = req.params.path;
-    const forwardPath = segments ? `/${[].concat(segments).join('/')}` : '/';
+    // Derive forward path from req.url to preserve trailing slashes.
+    // Express *path params lose trailing slashes, causing redirect loops
+    // with servers that enforce them (e.g. mkdocs: /TermBeam → /TermBeam/).
+    const portPrefix = `/${req.params.port}`;
+    const urlWithoutQuery = req.url.split('?')[0];
+    const forwardPath = urlWithoutQuery.slice(portPrefix.length) || '/';
     const search = req.url.includes('?') ? req.url.slice(req.url.indexOf('?')) : '';
 
     const fwdHeaders = { ...req.headers, host: `127.0.0.1:${port}` };

package/src/server/routes.js

@@ -10,6 +10,15 @@ const log = require('../utils/logger');
 const rateLimit = require('express-rate-limit');
 
 const PUBLIC_DIR = path.join(__dirname, '..', '..', 'public');
+
+// Resolve a user-provided path relative to rootDir and verify it stays within bounds.
+// Returns the resolved path or null if it escapes rootDir.
+function safePath(rootDir, userPath) {
+  const resolved = path.resolve(rootDir, userPath);
+  if (!resolved.startsWith(rootDir + path.sep) && resolved !== rootDir) return null;
+  return resolved;
+}
+
 const uploadedFiles = new Map(); // id -> filepath
 
 const IMAGE_SIGNATURES = [
@@ -644,7 +653,10 @@ function setupRoutes(app, { auth, sessions, config, state, pushManager }) {
     }
 
     const rootDir = path.resolve(sessions.getSessionCwd(req.params.id));
-    const dir = path.resolve(rootDir, req.query.dir || '.');
+    const dir = safePath(rootDir, req.query.dir || '.');
+    if (!dir) {
+      return res.status(403).json({ error: 'Path is outside session directory' });
+    }
 
     const MAX_ENTRIES = 1000;
     try {
@@ -798,7 +810,10 @@ function setupRoutes(app, { auth, sessions, config, state, pushManager }) {
     }
 
     const rootDir = path.resolve(sessions.getSessionCwd(req.params.id));
-    const filePath = path.resolve(rootDir, file);
+    const filePath = safePath(rootDir, file);
+    if (!filePath) {
+      return res.status(403).json({ error: 'Path is outside session directory' });
+    }
 
     try {
       if (fs.lstatSync(filePath).isSymbolicLink()) {
@@ -829,7 +844,10 @@ function setupRoutes(app, { auth, sessions, config, state, pushManager }) {
     }
 
     const rootDir = path.resolve(sessions.getSessionCwd(req.params.id));
-    const filePath = path.resolve(rootDir, file);
+    const filePath = safePath(rootDir, file);
+    if (!filePath) {
+      return res.status(403).json({ error: 'Path is outside session directory' });
+    }
 
     try {
       if (fs.lstatSync(filePath).isSymbolicLink()) {
@@ -860,7 +878,10 @@ function setupRoutes(app, { auth, sessions, config, state, pushManager }) {
     }
 
     const rootDir = path.resolve(sessions.getSessionCwd(req.params.id));
-    const filePath = path.resolve(rootDir, file);
+    const filePath = safePath(rootDir, file);
+    if (!filePath) {
+      return res.status(403).json({ error: 'Path is outside session directory' });
+    }
 
     try {
       if (fs.lstatSync(filePath).isSymbolicLink()) {