Merge pull request #412 from joelklabo/fix/secure-jsonl-paths
Security fix for JSONL path handling - adds path traversal protection
This commit is contained in:
Steve Yegge
GitHub
@@ -5,6 +5,7 @@ import (
|
||||
"os"
|
||||
"os/exec"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
)
|
||||
|
||||
// getBdBinary returns the path to the bd binary to use for fix operations.
|
||||
@@ -47,3 +48,43 @@ func validateBeadsWorkspace(path string) error {
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// safeWorkspacePath resolves relPath within the workspace root and ensures it
|
||||
// cannot escape the workspace via path traversal.
|
||||
func safeWorkspacePath(root, relPath string) (string, error) {
|
||||
absRoot, err := filepath.Abs(root)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("invalid workspace path: %w", err)
|
||||
}
|
||||
|
||||
cleanRel := filepath.Clean(relPath)
|
||||
if filepath.IsAbs(cleanRel) {
|
||||
return "", fmt.Errorf("expected relative path, got absolute: %s", relPath)
|
||||
}
|
||||
|
||||
joined := filepath.Join(absRoot, cleanRel)
|
||||
rel, err := filepath.Rel(absRoot, joined)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("failed to resolve path: %w", err)
|
||||
}
|
||||
|
||||
if rel == ".." || strings.HasPrefix(rel, ".."+string(os.PathSeparator)) {
|
||||
return "", fmt.Errorf("path escapes workspace: %s", relPath)
|
||||
}
|
||||
|
||||
return joined, nil
|
||||
}
|
||||
|
||||
// isWithinWorkspace reports whether candidate resides within the workspace root.
|
||||
func isWithinWorkspace(root, candidate string) bool {
|
||||
cleanRoot, err := filepath.Abs(root)
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
cleanCandidate := filepath.Clean(candidate)
|
||||
rel, err := filepath.Rel(cleanRoot, cleanCandidate)
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
return rel == "." || !(rel == ".." || strings.HasPrefix(rel, ".."+string(os.PathSeparator)))
|
||||
}
|
||||
|
||||
55
cmd/bd/doctor/fix/common_test.go
Normal file
55
cmd/bd/doctor/fix/common_test.go
Normal file
@@ -0,0 +1,55 @@
|
||||
package fix
|
||||
|
||||
import (
|
||||
"path/filepath"
|
||||
"testing"
|
||||
)
|
||||
|
||||
func TestSafeWorkspacePath(t *testing.T) {
|
||||
root := t.TempDir()
|
||||
absEscape, _ := filepath.Abs(filepath.Join(root, "..", "escape"))
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
relPath string
|
||||
wantErr bool
|
||||
}{
|
||||
{
|
||||
name: "normal relative path",
|
||||
relPath: ".beads/issues.jsonl",
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "nested relative path",
|
||||
relPath: filepath.Join(".beads", "nested", "file.txt"),
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "absolute path rejected",
|
||||
relPath: absEscape,
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "path traversal rejected",
|
||||
relPath: filepath.Join("..", "escape"),
|
||||
wantErr: true,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
got, err := safeWorkspacePath(root, tt.relPath)
|
||||
if (err != nil) != tt.wantErr {
|
||||
t.Fatalf("safeWorkspacePath() error = %v, wantErr %v", err, tt.wantErr)
|
||||
}
|
||||
if err == nil {
|
||||
if !isWithinWorkspace(root, got) {
|
||||
t.Fatalf("resolved path %q not within workspace %q", got, root)
|
||||
}
|
||||
if !filepath.IsAbs(got) {
|
||||
t.Fatalf("resolved path is not absolute: %q", got)
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
@@ -18,7 +18,16 @@ func DatabaseConfig(path string) error {
|
||||
return err
|
||||
}
|
||||
|
||||
beadsDir := filepath.Join(path, ".beads")
|
||||
absPath, err := filepath.Abs(path)
|
||||
if err != nil {
|
||||
return fmt.Errorf("invalid workspace path: %w", err)
|
||||
}
|
||||
path = absPath
|
||||
|
||||
beadsDir, err := safeWorkspacePath(path, ".beads")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// Load existing config
|
||||
cfg, err := configfile.Load(beadsDir)
|
||||
@@ -129,7 +138,16 @@ func LegacyJSONLConfig(path string) error {
|
||||
return err
|
||||
}
|
||||
|
||||
beadsDir := filepath.Join(path, ".beads")
|
||||
absPath, err := filepath.Abs(path)
|
||||
if err != nil {
|
||||
return fmt.Errorf("invalid workspace path: %w", err)
|
||||
}
|
||||
path = absPath
|
||||
|
||||
beadsDir, err := safeWorkspacePath(path, ".beads")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// Load existing config
|
||||
cfg, err := configfile.Load(beadsDir)
|
||||
@@ -162,8 +180,11 @@ func LegacyJSONLConfig(path string) error {
|
||||
cfg.JSONLExport = "issues.jsonl"
|
||||
|
||||
// Update .gitattributes if it references beads.jsonl
|
||||
gitattrsPath := filepath.Join(path, ".gitattributes")
|
||||
if content, err := os.ReadFile(gitattrsPath); err == nil {
|
||||
gitattrsPath, err := safeWorkspacePath(path, ".gitattributes")
|
||||
if err != nil {
|
||||
fmt.Printf(" Skipping .gitattributes update: %v\n", err)
|
||||
// #nosec G304 -- gitattrsPath constrained to workspace root
|
||||
} else if content, err := os.ReadFile(gitattrsPath); err == nil {
|
||||
if strings.Contains(string(content), ".beads/beads.jsonl") {
|
||||
newContent := strings.ReplaceAll(string(content), ".beads/beads.jsonl", ".beads/issues.jsonl")
|
||||
// #nosec G306 -- .gitattributes should be world-readable
|
||||
|
||||
@@ -16,7 +16,16 @@ func UntrackedJSONL(path string) error {
|
||||
return err
|
||||
}
|
||||
|
||||
beadsDir := filepath.Join(path, ".beads")
|
||||
absPath, err := filepath.Abs(path)
|
||||
if err != nil {
|
||||
return fmt.Errorf("invalid workspace path: %w", err)
|
||||
}
|
||||
path = absPath
|
||||
|
||||
beadsDir, err := safeWorkspacePath(path, ".beads")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// Find untracked JSONL files
|
||||
cmd := exec.Command("git", "status", "--porcelain", ".beads/")
|
||||
@@ -49,21 +58,31 @@ func UntrackedJSONL(path string) error {
|
||||
|
||||
// Stage the untracked files
|
||||
for _, file := range untrackedFiles {
|
||||
fullPath := filepath.Join(path, file)
|
||||
// Verify file exists in .beads directory (security check)
|
||||
if !strings.HasPrefix(fullPath, beadsDir) {
|
||||
cleanFile := filepath.Clean(file)
|
||||
if filepath.IsAbs(cleanFile) || cleanFile == ".." || strings.HasPrefix(cleanFile, ".."+string(os.PathSeparator)) {
|
||||
continue
|
||||
}
|
||||
|
||||
// Only allow files inside .beads/
|
||||
slashFile := filepath.ToSlash(cleanFile)
|
||||
if !strings.HasPrefix(slashFile, ".beads/") {
|
||||
continue
|
||||
}
|
||||
|
||||
fullPath, err := safeWorkspacePath(path, cleanFile)
|
||||
if err != nil || !isWithinWorkspace(beadsDir, fullPath) {
|
||||
continue
|
||||
}
|
||||
if _, err := os.Stat(fullPath); os.IsNotExist(err) {
|
||||
continue
|
||||
}
|
||||
|
||||
addCmd := exec.Command("git", "add", file)
|
||||
addCmd := exec.Command("git", "add", cleanFile) // #nosec G204 -- cleanFile constrained to .beads/*.jsonl within the validated workspace
|
||||
addCmd.Dir = path
|
||||
if err := addCmd.Run(); err != nil {
|
||||
return fmt.Errorf("failed to stage %s: %w", file, err)
|
||||
return fmt.Errorf("failed to stage %s: %w", cleanFile, err)
|
||||
}
|
||||
fmt.Printf(" Staged %s\n", filepath.Base(file))
|
||||
fmt.Printf(" Staged %s\n", filepath.Base(cleanFile))
|
||||
}
|
||||
|
||||
// Commit the staged files
|
||||
|
||||
Reference in New Issue
Block a user