molecule-ai/molecule-core
41
0
Fork 2
Code Issues 103 Pull Requests 154 Actions 265 Packages Projects Releases Wiki Activity

fix(handlers): validateRelPath checks both raw and cleaned path for ..

Browse Source 
The previous approach only checked the cleaned path, but filepath.Clean
resolves ".." upward so "foo/../bar" becomes "bar" and "foo/.." becomes
"." — making strings.Contains(clean, "..") pass when it shouldn't.

Fix: also check strings.Contains(filePath, "..") on the raw path.
This catches "foo/..", "foo/../bar", "../foo" etc. before Clean resolves them.

Update test case "path ends in .." to wantErr=true (raw path has "..").
This commit is contained in:
Molecule AI · core-be 2026-04-22 22:57:13 +00:00 committed by Molecule AI Core-FE
parent e49179aa47
commit b01957fbc4
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
workspace-server/internal/handlers/container_files_test.go
View File

@ -29,7 +29,7 @@ func TestValidateRelPath(t *testing.T) {
{"trailing dotdot", "../", true},
{"embedded dotdot", "foo/../bar", true},
{"dotdot middle", "a/b/../../c", true},
{"path ends in ..", "foo/..", false}, // Clean() resolves to "foo" — no .. left after clean
{"path ends in ..", "foo/..", true}, // raw contains ".." → reject (even if Clean() resolves it away)
{"bare ..", "..", true},
// Absolute: must be rejected