johno/beads
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: harden JSONL path handling

Browse Source 
- bound fresh-clone JSONL discovery to the .beads dir (abs path, traversal guard) before reading counts
- add safeWorkspacePath/isWithinWorkspace helpers and use in doctor fixes (database_config, untracked) to reject absolute/traversal inputs and confine .gitattributes edits
- normalize git status paths and path-guard tests for cross-OS (Windows) compatibility
- add regression tests for the new guards
This commit is contained in:
Joel Klabo
2025-11-28 18:58:04 -08:00
parent 6df2b44787
commit cb6ccef7c2
6 changed files with 233 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
cmd/bd/doctor/fix/untracked.go
View File

@@ -16,7 +16,16 @@ func UntrackedJSONL(path string) error {
return err
}
beadsDir := filepath.Join(path, ".beads")
absPath, err := filepath.Abs(path)
if err != nil {
return fmt.Errorf("invalid workspace path: %w", err)
}
path = absPath
beadsDir, err := safeWorkspacePath(path, ".beads")
if err != nil {
return err
}
// Find untracked JSONL files
cmd := exec.Command("git", "status", "--porcelain", ".beads/")
@@ -49,21 +58,31 @@ func UntrackedJSONL(path string) error {
// Stage the untracked files
for _, file := range untrackedFiles {
fullPath := filepath.Join(path, file)
// Verify file exists in .beads directory (security check)
if !strings.HasPrefix(fullPath, beadsDir) {
cleanFile := filepath.Clean(file)
if filepath.IsAbs(cleanFile) || cleanFile == ".." || strings.HasPrefix(cleanFile, ".."+string(os.PathSeparator)) {
continue
}
// Only allow files inside .beads/
slashFile := filepath.ToSlash(cleanFile)
if !strings.HasPrefix(slashFile, ".beads/") {
continue
}
fullPath, err := safeWorkspacePath(path, cleanFile)
if err != nil || !isWithinWorkspace(beadsDir, fullPath) {
continue
}
if _, err := os.Stat(fullPath); os.IsNotExist(err) {
continue
}
addCmd := exec.Command("git", "add", file)
addCmd := exec.Command("git", "add", cleanFile) // #nosec G204 -- cleanFile constrained to .beads/*.jsonl within the validated workspace
addCmd.Dir = path
if err := addCmd.Run(); err != nil {
return fmt.Errorf("failed to stage %s: %w", file, err)
return fmt.Errorf("failed to stage %s: %w", cleanFile, err)
}
fmt.Printf(" Staged %s\n", filepath.Base(file))
fmt.Printf(" Staged %s\n", filepath.Base(cleanFile))
}
// Commit the staged files