Skip to content

fix(security): validate project and service names to prevent path traversal#9

Open
Vict3310 wants to merge 1 commit into
quikdb:mainfrom
Vict3310:fix/path-traversal-validation
Open

fix(security): validate project and service names to prevent path traversal#9
Vict3310 wants to merge 1 commit into
quikdb:mainfrom
Vict3310:fix/path-traversal-validation

Conversation

@Vict3310

@Vict3310 Vict3310 commented Jul 7, 2026

Copy link
Copy Markdown

Summary

Fixes #3

Project names and service names were passed directly to filepath.Join and os.MkdirAll without any validation, allowing an attacker to write files outside the intended directory.

Attack vectors blocked

quikdb-frame init ../../etc
# Before: silently created directories at ../../etc/
# After:  Error: invalid project name "../../etc": use letters, numbers, hyphens, and underscores only

quikdb-frame init /etc/passwd
# Before: attempted to write to /etc/passwd
# After:  Error: invalid project name "/etc/passwd"

quikdb-frame add api ../../etc/cron
# Before: wrote service files outside project root
# After:  Error: invalid service name "../../etc/cron"

Fix

Added internal/scaffold/validate.go with a strict allowlist regex:

var validName = regexp.MustCompile(`^[a-zA-Z0-9][a-zA-Z0-9_-]{0,49}$`)
  • Must start with a letter or number
  • Only letters, numbers, hyphens, underscores allowed
  • Max 50 characters
  • Rejects all slashes, dots, and traversal sequences

Validation is called at the top of both Init() and Add() — before any file operation touches the disk.

Files changed

  • internal/scaffold/validate.go — new shared validation helper
  • internal/scaffold/init.go — calls validateName() before os.Stat
  • internal/scaffold/add.go — calls validateName() before filepath.Join

Test results

=== ATTACKS (all blocked) ===
Error: invalid project name "../../etc"
Error: invalid project name "/etc/passwd"
Error: invalid project name "my.app"
Error: invalid project name "../sneaky"
Error: invalid service name "../../etc"

=== VALID NAMES (unaffected) ===
Creating project: my-valid-app (database: postgres) ✓

…versal

Fixes quikdb#3

Project names (quikdb-frame init <name>) and service names
(quikdb-frame add <type> <name>) were passed directly to filepath.Join
and os.MkdirAll without validation, allowing path traversal attacks:

  quikdb-frame init ../../etc          # wrote files outside cwd
  quikdb-frame add api ../../etc/cron  # same

Fix: introduce internal/scaffold/validate.go with a strict allowlist
regex applied before any file operation in both Init() and Add().

  ^[a-zA-Z0-9][a-zA-Z0-9_-]{0,49}$

This rejects slashes, dots, and any character that could form a
traversal sequence. Error messages are explicit about what is allowed.

Tested attack vectors — all blocked:
  ../../etc        → Error: invalid project name
  /etc/passwd      → Error: invalid project name
  my.app           → Error: invalid project name
  ../sneaky        → Error: invalid project name

Valid names unaffected:
  my-app, my_app, myapp123 → work as before
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

security: project and service names not validated — path traversal possible

1 participant