OS: Windows
Shell: PowerShell
ForgeCAD CLI: 0.9.10
Node: v22.14.0
npm: 11.15.0
Project path example:
Steps to Reproduce
Create or open a ForgeCAD project on Windows.
Place a STEP file inside the project, for example:
CAD\Ensamblaje.STEP
Actual Result
ForgeCAD fails with:
ERROR: Path traversal blocked: "CAD/Ensamblaje.STEP" resolves outside the project directory
The relevant stack trace includes:
Path traversal blocked: "CAD/Ensamblaje.STEP" resolves outside the project directory
at Object.readBinaryFile (.../forgecad.js:85490:13)
at importStep (.../forgecad.js:84307:32)
xpected Result
ForgeCAD should allow importing a STEP file located inside the current project directory.
The file should run successfully and import as an OCCT STEP asset.
Suspected Root Cause
The path traversal guard compares a Windows absolute path containing backslashes against a project-root prefix built with forward slashes.
Conceptually, the current check behaves like this:
if (!absPath.startsWith(root + "/") && absPath !== root) {
throw new Error(...)
}
Proposed Fix
Normalize both paths before the containment check:
const normalizedAbsPath = absPath.replace(/\/g, "/");
const normalizedRoot = root.replace(/\/g, "/");
const normalizedRootPrefix = normalizedRoot.endsWith("/")
? normalizedRoot
: normalizedRoot + "/";
if (
!normalizedAbsPath.startsWith(normalizedRootPrefix) &&
normalizedAbsPath !== normalizedRoot
) {
throw new Error(
Path traversal blocked: "${relativePath}" resolves outside the project directory
);
}
This preserves the traversal protection while making it portable across Windows and POSIX paths.
Local Confirmation
After applying the path-normalization fix locally, this command succeeded:
forgecad run .\CAD\Ensamblaje.STEP --quality live --details
Result:
Objects: 1 (9 bodies)
geom=occt/mesh-solid/exact/topology:none/sources:imported
So the STEP file itself is valid; the failure appears to be the Windows path traversal check, not the CAD import.
OS: Windows
Shell: PowerShell
ForgeCAD CLI: 0.9.10
Node: v22.14.0
npm: 11.15.0
Project path example:
Steps to Reproduce
Create or open a ForgeCAD project on Windows.
Place a STEP file inside the project, for example:
CAD\Ensamblaje.STEP
Actual Result
ForgeCAD fails with:
ERROR: Path traversal blocked: "CAD/Ensamblaje.STEP" resolves outside the project directory
The relevant stack trace includes:
Path traversal blocked: "CAD/Ensamblaje.STEP" resolves outside the project directory
at Object.readBinaryFile (.../forgecad.js:85490:13)
at importStep (.../forgecad.js:84307:32)
xpected Result
ForgeCAD should allow importing a STEP file located inside the current project directory.
The file should run successfully and import as an OCCT STEP asset.
Suspected Root Cause
The path traversal guard compares a Windows absolute path containing backslashes against a project-root prefix built with forward slashes.
Conceptually, the current check behaves like this:
if (!absPath.startsWith(root + "/") && absPath !== root) {
throw new Error(...)
}
Proposed Fix
Normalize both paths before the containment check:
const normalizedAbsPath = absPath.replace(/\/g, "/");
const normalizedRoot = root.replace(/\/g, "/");
const normalizedRootPrefix = normalizedRoot.endsWith("/")
? normalizedRoot
: normalizedRoot + "/";
if (
!normalizedAbsPath.startsWith(normalizedRootPrefix) &&
normalizedAbsPath !== normalizedRoot
) {
throw new Error(
Path traversal blocked: "${relativePath}" resolves outside the project directory);
}
This preserves the traversal protection while making it portable across Windows and POSIX paths.
Local Confirmation
After applying the path-normalization fix locally, this command succeeded:
forgecad run .\CAD\Ensamblaje.STEP --quality live --details
Result:
Objects: 1 (9 bodies)
geom=occt/mesh-solid/exact/topology:none/sources:imported
So the STEP file itself is valid; the failure appears to be the Windows path traversal check, not the CAD import.