Skip to content

Commit ba815b7

Browse files
committed
fix(e2e): validate E2E_SHARED_CACHE_DIR before use (path-injection)
CodeQL flagged shared_cache_dir() as a high-severity path-injection: the CI-provided E2E_SHARED_CACHE_DIR flowed into create_dir_all unchecked. Require the override to be an absolute path with no `..` traversal components before it reaches the filesystem sink — rejects a malformed/relative value and clears the taint flow. Behaviour is unchanged for the well-formed absolute path CI sets. Signed-off-by: fredespi <fredrik.espinoza@gmail.com>
1 parent 28a47ab commit ba815b7

1 file changed

Lines changed: 12 additions & 2 deletions

File tree

  • tests/e2e-cucumber/tests

tests/e2e-cucumber/tests/e2e.rs

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -64,8 +64,18 @@ pub struct E2eWorld {
6464
/// model weights per scenario. Only immutable artifacts are shared — service
6565
/// records, config, and per-service engine state stay isolated per scenario.
6666
fn shared_cache_dir() -> Option<PathBuf> {
67-
let dir = std::env::var_os("E2E_SHARED_CACHE_DIR")?;
68-
let dir = PathBuf::from(dir);
67+
let dir = PathBuf::from(std::env::var_os("E2E_SHARED_CACHE_DIR")?);
68+
// The value is CI-controlled, but validate it before it reaches a filesystem
69+
// sink: require an absolute path with no `..` traversal components. This both
70+
// rejects a malformed/relative override (which would create a cache dir in an
71+
// unexpected place) and sanitises the taint flow for path-injection analysis.
72+
if !dir.is_absolute()
73+
|| dir
74+
.components()
75+
.any(|c| matches!(c, std::path::Component::ParentDir))
76+
{
77+
return None;
78+
}
6979
std::fs::create_dir_all(&dir).ok()?;
7080
Some(dir)
7181
}

0 commit comments

Comments
 (0)