From 2d03d8af1977fe5ba1707f774a6ecd5a8999de39 Mon Sep 17 00:00:00 2001
From: Gaurav Poudel <gauravpaudel2013@gmail.com>
Date: Sun, 15 Feb 2026 15:10:42 +0530
Subject: [PATCH] fix: sanitize tunnel name before using as config file path

  The tunnel name from user-supplied JSON config was used directly
  in filepath.Join() when writing/removing tunnel config files,
  allowing path traversal attacks (e.g. name: ../../system32/...).

  Apply sanitizeServiceName() to the filename in both InstallTunnel
  and UninstallTunnel, consistent with how the service name is
  already sanitized.

  Fixes a potential arbitrary file write/delete as SYSTEM.
---
 managers/install.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/managers/install.go b/managers/install.go
index d2f1c3a..d0d1aa3 100644
--- a/managers/install.go
+++ b/managers/install.go
@@ -175,7 +175,7 @@ func InstallTunnel(configJSON string) error {
 	if err := os.MkdirAll(configDir, 0755); err != nil {
 		return fmt.Errorf("failed to create config directory: %w", err)
 	}
-	configPath := filepath.Join(configDir, name+".json")
+	configPath := filepath.Join(configDir, sanitizeServiceName(name)+".json")
 	if err := os.WriteFile(configPath, []byte(configJSON), 0600); err != nil {
 		return fmt.Errorf("failed to write config file: %w", err)
 	}
@@ -229,7 +229,7 @@ func UninstallTunnel(name string) error {
 
 	// Clean up config file
 	configDir := filepath.Join(os.Getenv("ProgramData"), config.AppName, "Tunnels")
-	configPath := filepath.Join(configDir, name+".json")
+	configPath := filepath.Join(configDir, sanitizeServiceName(name)+".json")
 	os.Remove(configPath) // Best effort cleanup
 
 	return nil