fix: validate OUTPUT_FILENAME to prevent path traversal and unsafe characters

Reject filenames containing path separators, special characters, or absolute
paths. Only alphanumeric characters, hyphens, underscores, and dots are allowed.
Adds four security tests covering path traversal, absolute paths, directory
separators, and shell metacharacters.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: zkoppert

env.py

@@ -5,6 +5,7 @@
 
 import datetime
 import os
+import re
 from os.path import dirname, join
 
 from dotenv import load_dotenv
@@ -179,6 +180,15 @@ def get_env_vars(
     sponsor_info = get_bool_env_var("SPONSOR_INFO", False)
     link_to_profile = get_bool_env_var("LINK_TO_PROFILE", False)
     output_filename = os.getenv("OUTPUT_FILENAME", "").strip() or "contributors.md"
+    if not re.match(r"^[a-zA-Z0-9_\-\.]+$", output_filename):
+        raise ValueError(
+            "OUTPUT_FILENAME must contain only alphanumeric characters, "
+            "hyphens, underscores, and dots"
+        )
+    if output_filename != os.path.basename(output_filename):
+        raise ValueError(
+            "OUTPUT_FILENAME must be a simple filename without path separators"
+        )
 
     # Separate repositories_str into a list based on the comma separator
     repositories_list = []

test_env.py

@@ -233,6 +233,62 @@ def test_get_env_vars_custom_output_filename(self):
 
         self.assertEqual(output_filename, "custom-report.md")
 
+    @patch.dict(
+        os.environ,
+        {
+            "ORGANIZATION": "org",
+            "GH_TOKEN": "token",
+            "OUTPUT_FILENAME": "../../../etc/passwd",
+        },
+        clear=True,
+    )
+    def test_get_env_vars_output_filename_path_traversal_rejected(self):
+        """Test that OUTPUT_FILENAME rejects path traversal attempts."""
+        with self.assertRaises(ValueError):
+            env.get_env_vars()
+
+    @patch.dict(
+        os.environ,
+        {
+            "ORGANIZATION": "org",
+            "GH_TOKEN": "token",
+            "OUTPUT_FILENAME": "/tmp/output.md",
+        },
+        clear=True,
+    )
+    def test_get_env_vars_output_filename_absolute_path_rejected(self):
+        """Test that OUTPUT_FILENAME rejects absolute paths."""
+        with self.assertRaises(ValueError):
+            env.get_env_vars()
+
+    @patch.dict(
+        os.environ,
+        {
+            "ORGANIZATION": "org",
+            "GH_TOKEN": "token",
+            "OUTPUT_FILENAME": "reports/output.md",
+        },
+        clear=True,
+    )
+    def test_get_env_vars_output_filename_directory_separator_rejected(self):
+        """Test that OUTPUT_FILENAME rejects filenames with directory separators."""
+        with self.assertRaises(ValueError):
+            env.get_env_vars()
+
+    @patch.dict(
+        os.environ,
+        {
+            "ORGANIZATION": "org",
+            "GH_TOKEN": "token",
+            "OUTPUT_FILENAME": "file;rm -rf /.md",
+        },
+        clear=True,
+    )
+    def test_get_env_vars_output_filename_special_chars_rejected(self):
+        """Test that OUTPUT_FILENAME rejects filenames with special characters."""
+        with self.assertRaises(ValueError):
+            env.get_env_vars()
+
     @patch.dict(os.environ, {}, clear=True)
     def test_get_env_vars_missing_org_or_repo(self):
         """Test that an error is raised if required environment variables are not set"""