fix: address PR review comments

opswithranjan · opswithranjan · commit 085c9595ecbe · 2026-03-09T17:12:06.000Z
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,9 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
 
+## [Unreleased]
+
+
 ## [1.14.0] - 2026-03-09
 
 ### Added
diff --git a/README.md b/README.md
@@ -48,6 +48,7 @@ The CLI currently supports the following commands (and sub-commands):
   - `packages`:             List packages for a repository. (Aliases `repos list`)
   - `repos`:                List repositories for a namespace (owner).
 - `login`|`token`:        Retrieve your API authentication token/key via login.
+- `logout`:               Clear stored authentication credentials and SSO tokens (Keyring, API key from credential file and emit warning when `$CLOUDSMITH_API_KEY` is still set).
 - `metrics`:              Metrics and statistics for a repository.
   - `tokens`:               Retrieve bandwidth usage for entitlement tokens.
   - `packages`:             Retrieve package usage for repository.
diff --git a/cloudsmith_cli/cli/commands/download.py b/cloudsmith_cli/cli/commands/download.py
@@ -288,7 +288,7 @@ def download(  # noqa: C901
         for idx, file_info in enumerate(files_to_download, 1):
             filename = file_info["filename"]
             file_url = file_info["cdn_url"]
-            output_path = os.path.join(output_dir, filename)
+            output_path = _safe_join(output_dir, filename)
 
             primary_marker = " (primary)" if file_info.get("is_primary") else ""
             tag = file_info.get("tag", "file")
@@ -408,7 +408,7 @@ def download(  # noqa: C901
     if not outfile:
         # Extract filename from URL or use package name + format
         if package.get("filename"):
-            outfile = package["filename"]
+            outfile = os.path.basename(package["filename"])
         else:
             # Fallback to package name with extension based on format
             pkg_format = package.get("format", "bin")
@@ -552,7 +552,11 @@ def _download_all_packages(  # noqa: C901
             )
 
         if all_files:
-            # Download all sub-files for this package
+            # Download all sub-files for this package into a per-package subdir
+            pkg_subdir = os.path.join(output_dir, f"{pkg_name}-{pkg_version}")
+            if not os.path.exists(pkg_subdir):
+                os.makedirs(pkg_subdir)
+
             context_msg = f"Failed to get details for {pkg_name}!"
             with handle_api_exceptions(ctx, opts=opts, context_msg=context_msg):
                 detail = get_package_detail(
@@ -563,7 +567,7 @@ def _download_all_packages(  # noqa: C901
             for file_info in sub_files:
                 filename = file_info["filename"]
                 file_url = file_info["cdn_url"]
-                file_path = os.path.join(output_dir, filename)
+                file_path = _safe_join(pkg_subdir, filename)
                 tag = file_info.get("tag", "file")
 
                 if not use_stderr:
@@ -612,7 +616,7 @@ def _download_all_packages(  # noqa: C901
             # Download the primary package file
             download_url = pkg.get("cdn_url") or pkg.get("download_url")
             filename = pkg_filename or f"{pkg_name}-{pkg_version}"
-            file_path = os.path.join(output_dir, filename)
+            file_path = _safe_join(output_dir, filename)
 
             if not download_url:
                 # Fall back to detailed package info
@@ -725,6 +729,23 @@ def _download_all_packages(  # noqa: C901
         )
 
 
+def _safe_join(base_dir, filename):
+    """Safely join base_dir and filename, preventing path traversal."""
+    # Strip path separators and use only the basename
+    safe_name = os.path.basename(filename)
+    if not safe_name:
+        raise click.ClickException(
+            f"Invalid filename '{filename}' — cannot be empty after sanitization."
+        )
+    result = os.path.join(base_dir, safe_name)
+    # Final check: resolved path must be under base_dir
+    if not os.path.realpath(result).startswith(os.path.realpath(base_dir) + os.sep):
+        raise click.ClickException(
+            f"Filename '{filename}' resolves outside the target directory."
+        )
+    return result
+
+
 def _get_extension_for_format(pkg_format: str) -> str:
     """Get appropriate file extension for package format."""
     format_extensions = {
