Skip to content

Better validation for input/output paths #29

@ghost

Description

  • Doc Kit 0.5 now uses an additional regex charclass_files_strict to try to avoid writing to out-of-scope output paths on the user's machine. However, it does not quite protect against enough cases.
    ../ is caught at the beginning of the string but will not be caught, e.g. after a leading ./ or within some/path/../../../../../now/we/are/very/far/up.
    There may be other issues I did not think about.

  • For the input paths, we use charclass_files_relaxed and that intentionally allows a leading ../, however, even there, we still should not allow e.g. ../../ because then we're outside the repo and it does not make sense anymore.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions