Problem
Two issues in apps/electron/src/main/settings.ts:
- Path traversal: The profile feature allows custom database paths with no validation that paths stay within the app data directory. A crafted path could read/write arbitrary files.
- Orphan cleanup:
deleteDatabaseProfile() (line 278-304) deletes the profile record but NOT the actual .db file, causing orphaned database files to accumulate on disk.
Solution
- Validate that all profile paths resolve within the app's user data directory (
app.getPath('userData'))
- Delete the actual database file when deleting a profile (with user confirmation)
- Add a cleanup utility to find and remove orphaned
.db files
Files
apps/electron/src/main/settings.ts — add path validation and file cleanup
Problem
Two issues in
apps/electron/src/main/settings.ts:deleteDatabaseProfile()(line 278-304) deletes the profile record but NOT the actual.dbfile, causing orphaned database files to accumulate on disk.Solution
app.getPath('userData')).dbfilesFiles
apps/electron/src/main/settings.ts— add path validation and file cleanup