Skip to content

Commit cb87a41

Browse files
Copilotmnriem
andauthored
Fix path traversal risk in extension URL download filename; fix redundant except clause
Agent-Logs-Url: https://github.com/github/spec-kit/sessions/0c7ae935-443c-4e90-ba92-7c3234a46673 Co-authored-by: mnriem <15701806+mnriem@users.noreply.github.com>
1 parent 0fd0bf6 commit cb87a41

1 file changed

Lines changed: 3 additions & 2 deletions

File tree

src/specify_cli/__init__.py

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3663,7 +3663,8 @@ def extension_add(
36633663
raise typer.Exit(1)
36643664

36653665
suffix = ".tar.gz" if archive_fmt == "tar.gz" else ".zip"
3666-
archive_path = download_dir / f"{extension}-url-download{suffix}"
3666+
safe_name = Path(extension).name or "extension"
3667+
archive_path = download_dir / f"{safe_name}-url-download{suffix}"
36673668
archive_path.write_bytes(archive_data)
36683669

36693670
# Install from downloaded archive
@@ -5120,7 +5121,7 @@ def _validate_and_install_local(yaml_path: Path, source_label: str) -> None:
51205121
local_fmt = _detect_archive_format(source)
51215122
try:
51225123
wf_yaml = _extract_workflow_yml(source_path, local_fmt)
5123-
except (ValueError, Exception) as exc:
5124+
except Exception as exc:
51245125
console.print(f"[red]Error:[/red] Failed to extract workflow from archive: {exc}")
51255126
raise typer.Exit(1)
51265127
import tempfile

0 commit comments

Comments
 (0)