From 85a7d197697a384274f31022e1ddb4de62e4d84d Mon Sep 17 00:00:00 2001
From: Subagent 5 <subagent@example.com>
Date: Wed, 28 Jan 2026 21:44:15 -0800
Subject: [PATCH] fix: validate logo index entries before building URLs

Guard against path traversal and unexpected file types by
validating logo paths start with 'logo/', have allowed image
extensions, and contain no '..' or leading '/' segments.

Amp-Thread-ID: https://ampcode.com/threads/T-019c083e-8ba0-7699-a5ff-63fd03e24391
Co-authored-by: Amp <amp@ampcode.com>
---
 .../templates/repositories/workflowTemplatesStore.ts   | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/platform/workflow/templates/repositories/workflowTemplatesStore.ts b/src/platform/workflow/templates/repositories/workflowTemplatesStore.ts
index 0c0e087be..4c20a5113 100644
--- a/src/platform/workflow/templates/repositories/workflowTemplatesStore.ts
+++ b/src/platform/workflow/templates/repositories/workflowTemplatesStore.ts
@@ -515,7 +515,15 @@ export const useWorkflowTemplatesStore = defineStore(
 
     function getLogoUrl(provider: string): string {
       const logoPath = logoIndex.value[provider]
-      if (!logoPath) return ''
+      if (
+        !logoPath ||
+        logoPath.includes('..') ||
+        logoPath.startsWith('/') ||
+        !logoPath.startsWith('logo/') ||
+        !/\.(png|svg|jpg|jpeg)$/i.test(logoPath)
+      ) {
+        return ''
+      }
       return api.fileURL(`/templates/${logoPath}`)
     }