ZimengXiong
diff --git a/‎.gitignore‎
Lines changed: 17 additions & 1 deletion b/‎.gitignore‎
Lines changed: 17 additions & 1 deletion
diff --git a/‎backend/dev_v3.db‎ b/‎backend/dev_v3.db‎
diff --git a/‎backend/src/routes/importExport/excalidashImportRoutes.ts‎
Lines changed: 12 additions & 10 deletions b/‎backend/src/routes/importExport/excalidashImportRoutes.ts‎
Lines changed: 12 additions & 10 deletions
diff --git a/‎docker-compose.oidc.local.yml‎
Lines changed: 0 additions & 112 deletions b/‎docker-compose.oidc.local.yml‎
Lines changed: 0 additions & 112 deletions
diff --git a/‎ops/keycloak/realm-excalidash-local.json‎
Lines changed: 0 additions & 64 deletions b/‎ops/keycloak/realm-excalidash-local.json‎
Lines changed: 0 additions & 64 deletions
@@ -11,6 +11,22 @@ backend/prisma/dev.db
 backend/prisma/e2e-test.db
 backend/prisma/*.backup
 
+# SQLite artifacts anywhere (avoid committing dev DBs)
+*.db
+*.db-journal
+*.db-wal
+*.db-shm
+*.db.backup
+
+# Docker-entrypoint persisted secrets/locks (in case prisma volume is bind-mounted)
+backend/prisma/.jwt_secret
+backend/prisma/.csrf_secret
+backend/prisma/.migration-lock/
+
+# Local OIDC/Keycloak dev files
+docker-compose.oidc.local.yml
+ops/keycloak/realm-excalidash-local.json
+
 # Uploads
 backend/uploads/
 
@@ -109,4 +125,4 @@ Thumbs.db
 
 # Temporary files
 *.tmp
-*.temp
+*.temp
@@ -15,13 +15,8 @@ import {
 
 const isSafeMulterTempFilename = (value: string): boolean => /^[a-f0-9]{32}$/.test(value);
 
-const isPathInsideDirectory = (candidatePath: string, rootDir: string): boolean => {
-  const relativePath = path.relative(rootDir, candidatePath);
-  return relativePath === "" || (!relativePath.startsWith("..") && !path.isAbsolute(relativePath));
-};
-
 const resolveStagedUploadPath = async (
-  file: { filename?: unknown },
+  file: { filename?: unknown; path?: unknown },
   uploadRoot: string
 ): Promise<string> => {
   const absoluteUploadRoot = path.resolve(uploadRoot);
@@ -33,13 +28,20 @@ const resolveStagedUploadPath = async (
     throw new ImportValidationError("Invalid upload path");
   }
 
-  const filename = typeof file.filename === "string" ? file.filename : "";
-  if (!isSafeMulterTempFilename(filename)) {
+  // CodeQL path-injection: use basename extraction + strict allowlist, then enforce root containment.
+  // Multer typically generates a server-side random filename; we still validate defensively.
+  const rawPath = typeof file.path === "string" ? file.path : "";
+  const rawFilename = typeof file.filename === "string" ? file.filename : "";
+  const basename = path.basename(rawPath || rawFilename);
+  if (!isSafeMulterTempFilename(basename)) {
     throw new ImportValidationError("Invalid upload path");
   }
 
-  const candidatePath = path.resolve(canonicalUploadRoot, filename);
-  if (!isPathInsideDirectory(candidatePath, canonicalUploadRoot)) {
+  const candidatePath = path.resolve(canonicalUploadRoot, basename);
+  const rootPrefix = canonicalUploadRoot.endsWith(path.sep)
+    ? canonicalUploadRoot
+    : `${canonicalUploadRoot}${path.sep}`;
+  if (!candidatePath.startsWith(rootPrefix)) {
     throw new ImportValidationError("Invalid upload path");
   }