fix(compile): block path-traversal in runtime-import resolver and guard fixture helper

Two follow-up findings from the 2026-05-19 review on #625:

1. Reject `..` path components in both resolvers.

   `resolve_imports_inline` (compile-time, inlined-imports: true) and
   `import.js` (runtime, inlined-imports: false) both accepted
   `../`-style paths without restriction. A malicious markdown body
   on an untrusted PR branch could therefore embed host files (e.g.
   `{{#runtime-import ../../../../etc/passwd}}`) into the compiled
   YAML or, at runtime, into the agent prompt. The new guard rejects
   any path whose `/` or `\\`-split segments include `..`,
   regardless of whether the path is absolute or relative. Literal
   `..` characters inside a filename (e.g. `name..md`) are still
   allowed because they are not segments.

2. `compile_fixture_with_inlined_imports` now refuses fixtures that
   already declare `inlined-imports:`.

   The helper used to inject `inlined-imports: true` by raw string
   substitution before the closing `---`. If a future fixture
   hard-coded `inlined-imports: false`, the rewritten front matter
   would have two `inlined-imports:` keys; serde_yaml silently uses
   the last one so the test would still pass, but the duplicate-key
   fixture is confusing and the helper would silently flip the
   author's intent. The guard panics with an actionable message.

Tests:
* src/compile/extensions/ado_script.rs: 5 new unit tests covering
  relative/embedded/absolute/backslash `..` rejection and the literal
  `name..md` allow case.
* scripts/ado-script/src/import/__tests__/path-traversal.test.ts:
  4 new vitest cases.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: jamesadevine

scripts/ado-script/src/import/__tests__/path-traversal.test.ts

@@ -0,0 +1,67 @@
+import { describe, expect, it } from "vitest";
+import { readText, runImportSource, withScratchDir, writeFixture } from "./helpers.js";
+
+describe("runtime-import path traversal", () => {
+  it("rejects a required marker whose path contains a '..' segment", () => {
+    withScratchDir("traversal-required", (dir) => {
+      const original = "before\n{{#runtime-import ../escape.md}}\nafter\n";
+      const target = writeFixture(dir, "prompt.md", original);
+
+      const result = runImportSource(target);
+
+      expect(result.status).toBe(1);
+      expect(result.stderr).toBe("");
+      expect(result.stdout).toBe(
+        "##vso[task.logissue type=error]runtime-import: invalid path '../escape.md': '..' path components are not allowed\n",
+      );
+      // Target file must NOT be overwritten on error.
+      expect(readText(target)).toBe(original);
+    });
+  });
+
+  it("rejects '..' segments even when the marker is optional", () => {
+    withScratchDir("traversal-optional", (dir) => {
+      const original = "before\n{{#runtime-import? ../escape.md}}\nafter\n";
+      const target = writeFixture(dir, "prompt.md", original);
+
+      const result = runImportSource(target);
+
+      // The traversal guard fires regardless of optional-marker form:
+      // path traversal is structurally invalid, not a missing-file case.
+      expect(result.status).toBe(1);
+      expect(result.stdout).toContain("'..' path components are not allowed");
+      expect(readText(target)).toBe(original);
+    });
+  });
+
+  it("rejects backslash-style '..' segments on Windows-shaped paths", () => {
+    withScratchDir("traversal-backslash", (dir) => {
+      const target = writeFixture(
+        dir,
+        "prompt.md",
+        "{{#runtime-import sub\\..\\..\\escape.md}}\n",
+      );
+
+      const result = runImportSource(target);
+
+      expect(result.status).toBe(1);
+      expect(result.stdout).toContain("'..' path components are not allowed");
+    });
+  });
+
+  it("allows literal '..' inside a filename (not a segment)", () => {
+    withScratchDir("traversal-literal", (dir) => {
+      writeFixture(dir, "name..md", "DOUBLE_DOT_FILE");
+      const target = writeFixture(
+        dir,
+        "prompt.md",
+        "{{#runtime-import ./name..md}}\n",
+      );
+
+      const result = runImportSource(target);
+
+      expect(result.status).toBe(0);
+      expect(readText(target)).toBe("DOUBLE_DOT_FILE\n");
+    });
+  });
+});

scripts/ado-script/src/import/index.ts

@@ -39,6 +39,18 @@ function main(): void {
   // nested runtime-import markers inside them are not expanded. This matches
   // gh-aw's runtime-import behaviour.
   const expanded = original.replace(MARKER, (_whole, optional: string | undefined, rawPath: string) => {
+    // Reject `..` segments — a malicious or compromised agent body could
+    // otherwise reach files outside `base` (which on the agent VM is
+    // `$(Build.SourcesDirectory)`, the trigger-repo checkout). Mirrors
+    // `resolve_imports_inline` in src/compile/extensions/ado_script.rs.
+    const hasDotDotSegment = rawPath.split(/[\/\\]/).some((segment) => segment === "..");
+    if (hasDotDotSegment) {
+      errors.push(
+        `invalid path '${sanitizeForVsoMessage(rawPath)}': '..' path components are not allowed`,
+      );
+      return "";
+    }
+
     const absPath = isAbsolute(rawPath) ? rawPath : resolve(base, rawPath);
 
     if (!existsSync(absPath)) {

src/compile/extensions/ado_script.rs

@@ -249,6 +249,20 @@ pub fn resolve_imports_inline(body: &str, base_dir: &std::path::Path) -> Result<
             "runtime-import: invalid path '{}': whitespace is not allowed",
             path_str
         );
+        // Reject any path whose segments contain `..`. A malicious agent
+        // body could otherwise reach files outside `base_dir` and embed
+        // them verbatim into the compiled YAML — e.g.
+        // `{{#runtime-import ../../../../etc/passwd}}` if `ado-aw compile`
+        // is run on an untrusted PR branch. This guard applies to both
+        // relative and absolute paths because `..` segments make any
+        // path-confinement check unsound.
+        anyhow::ensure!(
+            !path_str
+                .split(['/', '\\'])
+                .any(|component| component == ".."),
+            "runtime-import: invalid path '{}': '..' path components are not allowed",
+            path_str
+        );
 
         let abs = if std::path::Path::new(path_str).is_absolute() {
             std::path::PathBuf::from(path_str)
@@ -477,4 +491,92 @@ mod tests {
 
         assert_eq!(result, "A ONE B TWO C");
     }
+
+    /// Path traversal: `..` segments would let a malicious agent body
+    /// reach files outside `base_dir` (e.g. `../../../../etc/passwd` when
+    /// `ado-aw compile` runs over an untrusted PR branch). Reject at
+    /// resolution time regardless of whether the file actually exists.
+    #[test]
+    fn rejects_relative_path_with_dotdot_segment() {
+        let workspace = TestWorkspace::new();
+        let err = resolve_imports_inline(
+            "{{#runtime-import ../escape.md}}",
+            &workspace.path,
+        )
+        .unwrap_err();
+        assert!(
+            err.to_string().contains("'..' path components are not allowed"),
+            "expected '..' rejection, got: {err}"
+        );
+    }
+
+    #[test]
+    fn rejects_path_with_embedded_dotdot_segment() {
+        let workspace = TestWorkspace::new();
+        let err = resolve_imports_inline(
+            "{{#runtime-import sub/../../escape.md}}",
+            &workspace.path,
+        )
+        .unwrap_err();
+        assert!(
+            err.to_string().contains("'..' path components are not allowed"),
+            "expected '..' rejection, got: {err}"
+        );
+    }
+
+    #[test]
+    fn rejects_absolute_path_with_dotdot_segment() {
+        let workspace = TestWorkspace::new();
+        // Absolute paths are otherwise accepted (see
+        // `supports_relative_and_absolute_paths`), but `..` segments
+        // make path-confinement reasoning unsound and must still be
+        // rejected.
+        let err = resolve_imports_inline(
+            "{{#runtime-import /tmp/agents/../../etc/passwd}}",
+            &workspace.path,
+        )
+        .unwrap_err();
+        assert!(
+            err.to_string().contains("'..' path components are not allowed"),
+            "expected '..' rejection, got: {err}"
+        );
+    }
+
+    #[test]
+    fn rejects_backslash_dotdot_segment_on_windows_style_paths() {
+        let workspace = TestWorkspace::new();
+        let err = resolve_imports_inline(
+            r"{{#runtime-import sub\..\..\escape.md}}",
+            &workspace.path,
+        )
+        .unwrap_err();
+        assert!(
+            err.to_string().contains("'..' path components are not allowed"),
+            "expected '..' rejection, got: {err}"
+        );
+    }
+
+    /// `..filename.md` and `name..md` are not path-traversal — they're
+    /// literal filenames where `..` is part of the name, not a segment.
+    /// Make sure the segment-aware check doesn't false-positive on these.
+    #[test]
+    fn allows_literal_double_dot_in_filename() {
+        let workspace = TestWorkspace::new();
+        workspace.write("..hidden.md", "DOTHIDDEN");
+        workspace.write("name..md", "DOUBLE");
+
+        let a = resolve_imports_inline(
+            "{{#runtime-import ..hidden.md}}",
+            &workspace.path,
+        )
+        .unwrap();
+        let b = resolve_imports_inline(
+            "{{#runtime-import name..md}}",
+            &workspace.path,
+        )
+        .unwrap();
+
+        assert_eq!(a, "DOTHIDDEN");
+        assert_eq!(b, "DOUBLE");
+    }
 }

tests/compiler_tests.rs

@@ -3697,6 +3697,25 @@ fn assert_valid_yaml(compiled: &str, fixture_name: &str) {
 
 fn compile_fixture_with_inlined_imports(fixture_name: &str) -> String {
     compile_fixture_tree_with_flags(fixture_name, &[], &[], |contents| {
+        // If the fixture already declares `inlined-imports:` (either
+        // value), don't inject a second key. serde_yaml silently uses the
+        // last key on duplicates, so the test would still pass — but the
+        // rewritten fixture would have a confusing duplicate and a
+        // future fixture that hard-codes `inlined-imports: false` would
+        // silently get flipped to `true` by this helper. Detect line-
+        // starting `inlined-imports:` so we don't false-positive on the
+        // string appearing inside body content.
+        let already_present = contents.lines().any(|line| {
+            let trimmed = line.trim_start();
+            trimmed.starts_with("inlined-imports:")
+        });
+        if already_present {
+            panic!(
+                "Fixture {fixture_name} already declares `inlined-imports:`; \
+                 `compile_fixture_with_inlined_imports` would produce a duplicate key. \
+                 Use `compile_fixture` directly, or remove the existing key from the fixture."
+            );
+        }
         if let Some((front_matter, body)) = contents.split_once("\r\n---\r\n") {
             format!("{front_matter}\r\ninlined-imports: true\r\n---\r\n{body}")
         } else if let Some((front_matter, body)) = contents.split_once("\n---\n") {