From 409e8d4871d7bfbc0489dcbbef04031b26e378a7 Mon Sep 17 00:00:00 2001
From: Raju <raju.sharma>
Date: Tue, 24 Mar 2026 13:09:23 +0530
Subject: [PATCH] fix[notask]: validate modelDir path in TTS benchmark server
 to prevent traversal

Both runChatterboxTTS and runSupertonicTTS accepted arbitrary absolute
paths for modelDir, allowing directory enumeration outside the benchmark
directory. Validate that resolved modelDir is within BENCHMARKS_DIR or
SHARED_DATA_DIR before proceeding.

Made-with: Cursor
---
 .../benchmarks/server/src/services/runChatterboxTTS.js     | 7 ++++---
 .../benchmarks/server/src/services/runSupertonicTTS.js     | 6 ++++--
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/packages/qvac-lib-infer-onnx-tts/benchmarks/server/src/services/runChatterboxTTS.js b/packages/qvac-lib-infer-onnx-tts/benchmarks/server/src/services/runChatterboxTTS.js
index 00315ee639..842ea44e8e 100644
--- a/packages/qvac-lib-infer-onnx-tts/benchmarks/server/src/services/runChatterboxTTS.js
+++ b/packages/qvac-lib-infer-onnx-tts/benchmarks/server/src/services/runChatterboxTTS.js
@@ -96,10 +96,11 @@ async function runChatterboxTTS (payload) {
 
   logger.info(`[Chatterbox] Processing ${texts.length} texts`)
 
-  // Resolve paths relative to benchmarks directory if not absolute
   let modelDir = config.modelDir || DEFAULT_MODEL_DIR
-  if (!path.isAbsolute(modelDir)) {
-    modelDir = path.join(BENCHMARKS_DIR, modelDir)
+  modelDir = path.isAbsolute(modelDir) ? modelDir : path.join(BENCHMARKS_DIR, modelDir)
+  modelDir = path.resolve(modelDir)
+  if (!modelDir.startsWith(BENCHMARKS_DIR) && !modelDir.startsWith(SHARED_DATA_DIR)) {
+    throw new Error('modelDir must be within the benchmarks or shared-data directory')
   }
 
   const tokenizerPath = path.join(modelDir, 'tokenizer.json')
diff --git a/packages/qvac-lib-infer-onnx-tts/benchmarks/server/src/services/runSupertonicTTS.js b/packages/qvac-lib-infer-onnx-tts/benchmarks/server/src/services/runSupertonicTTS.js
index e85a02e0cb..f96477e8e4 100644
--- a/packages/qvac-lib-infer-onnx-tts/benchmarks/server/src/services/runSupertonicTTS.js
+++ b/packages/qvac-lib-infer-onnx-tts/benchmarks/server/src/services/runSupertonicTTS.js
@@ -23,8 +23,10 @@ async function runSupertonicTTS (payload) {
   logger.info(`[Supertonic] Processing ${texts.length} texts`)
 
   let modelDir = config.modelDir || DEFAULT_MODEL_DIR
-  if (!path.isAbsolute(modelDir)) {
-    modelDir = path.join(BENCHMARKS_DIR, modelDir)
+  modelDir = path.isAbsolute(modelDir) ? modelDir : path.join(BENCHMARKS_DIR, modelDir)
+  modelDir = path.resolve(modelDir)
+  if (!modelDir.startsWith(BENCHMARKS_DIR) && !modelDir.startsWith(SHARED_DATA_DIR)) {
+    throw new Error('modelDir must be within the benchmarks or shared-data directory')
   }
 
   const voiceName = config.voiceName || 'F1'