fix(security): validate project and service names to prevent path traversal#9
Open
Vict3310 wants to merge 1 commit into
Open
fix(security): validate project and service names to prevent path traversal#9Vict3310 wants to merge 1 commit into
Vict3310 wants to merge 1 commit into
Conversation
…versal Fixes quikdb#3 Project names (quikdb-frame init <name>) and service names (quikdb-frame add <type> <name>) were passed directly to filepath.Join and os.MkdirAll without validation, allowing path traversal attacks: quikdb-frame init ../../etc # wrote files outside cwd quikdb-frame add api ../../etc/cron # same Fix: introduce internal/scaffold/validate.go with a strict allowlist regex applied before any file operation in both Init() and Add(). ^[a-zA-Z0-9][a-zA-Z0-9_-]{0,49}$ This rejects slashes, dots, and any character that could form a traversal sequence. Error messages are explicit about what is allowed. Tested attack vectors — all blocked: ../../etc → Error: invalid project name /etc/passwd → Error: invalid project name my.app → Error: invalid project name ../sneaky → Error: invalid project name Valid names unaffected: my-app, my_app, myapp123 → work as before
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #3
Project names and service names were passed directly to
filepath.Joinandos.MkdirAllwithout any validation, allowing an attacker to write files outside the intended directory.Attack vectors blocked
Fix
Added
internal/scaffold/validate.gowith a strict allowlist regex:Validation is called at the top of both
Init()andAdd()— before any file operation touches the disk.Files changed
internal/scaffold/validate.go— new shared validation helperinternal/scaffold/init.go— callsvalidateName()beforeos.Statinternal/scaffold/add.go— callsvalidateName()beforefilepath.JoinTest results