Fix path traversal

Author: spoorcc

CHANGELOG.rst

@@ -14,8 +14,8 @@ Release 0.14.0 (unreleased)
 * Fix "unsafe symlink target" error for archives containing relative ``..`` symlinks (#1122)
 * Fix ``dfetch add`` crashing with a ``ValueError`` when the remote URL has a trailing slash (#1137)
 * Fix unhelpful error message when a metadata file is malformed (#1145)
-* Fix arbitrary file write via malicious tar/zip symlink (#0)
-* Prevent ssh command injection (#0)
+* Fix arbitrary file write via malicious tar/zip symlink (#1152)
+* Prevent ssh command injection (#1152)
 
 Release 0.13.0 (released 2026-03-30)
 ====================================

script/create_release_notes.py

@@ -49,7 +49,13 @@ def main():
     )
     args = parser.parse_args()
 
-    changelog_path = Path(args.changelog)
+    try:
+        changelog_path = Path(args.changelog).resolve()
+        changelog_path.relative_to(Path.cwd().resolve())
+    except ValueError:
+        print(f"Error: {args.changelog} is outside the current directory.")
+        sys.exit(1)
+
     if not changelog_path.exists():
         print(f"Error: {changelog_path} not found.")
         sys.exit(1)