Skip to content

Commit 6577b63

Browse files
committed
fix(entity-io): reject unsafe entity type values before joining paths
Validate entity_type against a safe pattern to prevent path traversal (e.g. ../outside or /tmp/escape) when constructing the subdirectory. Addresses CodeRabbit review finding: Reject unsafe type values before joining paths
1 parent 7f53363 commit 6577b63

1 file changed

Lines changed: 2 additions & 0 deletions

File tree

plugins/kaizen/lib/entity_io.py

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -252,6 +252,8 @@ def write_entity_file(directory, entity):
252252
Path to the written file.
253253
"""
254254
entity_type = entity.get("type", "general")
255+
if not re.fullmatch(r"[a-z0-9][a-z0-9_-]*", entity_type):
256+
entity_type = "general"
255257
type_dir = Path(directory) / entity_type
256258
type_dir.mkdir(parents=True, exist_ok=True)
257259

0 commit comments

Comments
 (0)