fix: address code review feedback

iamaeroplane · claude · iamaeroplane · commit d6e07739bcb3 · 2026-03-25T13:07:50.000+01:00
- Use Path.anchor to reject drive-relative/UNC paths in script
  validation, not just os.path.isabs + normpath
- chmod only adds execute bits (0o111) and is gated to POSIX
- Command filter treats missing extensions dir as empty (filters
  out all extension-scoped commands), matching preset behavior
- list_available() rejects unsupported template_type with ValueError
- CLI list-templates validates --type before calling resolver

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/specify_cli/__init__.py b/src/specify_cli/__init__.py
@@ -2743,7 +2743,14 @@ def preset_list_templates(
     ),
 ):
     """List all available templates from the resolution stack."""
-    from .presets import PresetResolver
+    from .presets import PresetResolver, VALID_PRESET_TEMPLATE_TYPES
+
+    if template_type not in VALID_PRESET_TEMPLATE_TYPES:
+        console.print(
+            f"[red]Error:[/red] Invalid template type '{template_type}'. "
+            f"Must be one of: {', '.join(sorted(VALID_PRESET_TEMPLATE_TYPES))}"
+        )
+        raise typer.Exit(1)
 
     project_root = Path.cwd()
 
diff --git a/src/specify_cli/extensions.py b/src/specify_cli/extensions.py
@@ -171,10 +171,16 @@ def _validate(self):
                     "must be lowercase alphanumeric with hyphens only"
                 )
 
-            # Validate file path safety: must be relative, no parent traversal
+            # Validate file path safety: must be relative, no anchored/drive
+            # paths, and no parent traversal components
             file_path = script["file"]
-            normalized = os.path.normpath(file_path)
-            if os.path.isabs(normalized) or normalized.startswith(".."):
+            p = Path(file_path)
+            if p.is_absolute() or p.anchor:
+                raise ValidationError(
+                    f"Invalid script file path '{file_path}': "
+                    "must be a relative path within the extension directory"
+                )
+            if ".." in p.parts:
                 raise ValidationError(
                     f"Invalid script file path '{file_path}': "
                     "must be a relative path within the extension directory"
@@ -622,11 +628,12 @@ def install_from_directory(
         ignore_fn = self._load_extensionignore(source_dir)
         shutil.copytree(source_dir, dest_dir, ignore=ignore_fn)
 
-        # Set execute permissions on extension scripts
-        for script in manifest.scripts:
-            script_path = dest_dir / script["file"]
-            if script_path.exists() and script_path.suffix == ".sh":
-                script_path.chmod(script_path.stat().st_mode | 0o755)
+        # Set execute permissions on extension scripts (POSIX only)
+        if os.name == "posix":
+            for script in manifest.scripts:
+                script_path = dest_dir / script["file"]
+                if script_path.exists() and script_path.suffix == ".sh":
+                    script_path.chmod(script_path.stat().st_mode | 0o111)
 
         # Register commands with AI agents
         registered_commands = {}
@@ -1092,16 +1099,16 @@ def _filter_commands_for_installed_extensions(
         Extension-specific commands are only kept if the target extension
         directory exists under .specify/extensions/.
 
-        If the extensions directory does not exist, no filtering is applied.
+        If the extensions directory does not exist, it is treated as empty
+        and all extension-scoped commands are filtered out (matching the
+        preset filtering behavior at presets.py:518-529).
 
         Note: This method is not applied during extension self-registration
         (all commands in an extension's own manifest are always registered).
         It is designed for cross-boundary filtering, e.g. when presets provide
         commands for extensions that may not be installed.
         """
         extensions_dir = project_root / ".specify" / "extensions"
-        if not extensions_dir.is_dir():
-            return commands
         filtered = []
         for cmd in commands:
             parts = cmd["name"].split(".")
diff --git a/src/specify_cli/presets.py b/src/specify_cli/presets.py
@@ -1681,7 +1681,16 @@ def list_available(
 
         Returns:
             List of dicts with 'name', 'path', and 'source' keys, sorted by name.
+
+        Raises:
+            ValueError: If template_type is not one of "template", "command", "script"
         """
+        if template_type not in VALID_PRESET_TEMPLATE_TYPES:
+            raise ValueError(
+                f"Invalid template type '{template_type}': "
+                f"must be one of {sorted(VALID_PRESET_TEMPLATE_TYPES)}"
+            )
+
         seen: set[str] = set()
         results: List[Dict[str, str]] = []
 
@@ -1691,10 +1700,8 @@ def list_available(
             subdirs = ["templates", ""]
         elif template_type == "command":
             subdirs = ["commands"]
-        elif template_type == "script":
+        else:  # script
             subdirs = ["scripts"]
-        else:
-            subdirs = [""]
 
         def _collect(directory: Path, source: str):
             """Collect template files from a directory."""
