Skip to content

fix(keys): reject path traversal in from_files#17

Merged
zfarrell merged 1 commit into
mainfrom
fix/path-traversal-keys
Apr 3, 2026
Merged

fix(keys): reject path traversal in from_files#17
zfarrell merged 1 commit into
mainfrom
fix/path-traversal-keys

Conversation

@zfarrell

@zfarrell zfarrell commented Apr 3, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Reject paths containing .. components in DatasetLayout::from_files to prevent directory traversal attacks (hotdata-dev/monopoly#430)

Test plan

  • rejects_parent_dir_traversal — mid-path .. rejected
  • rejects_dotdot_prefix_traversal../../../etc/passwd rejected
  • accepts_valid_absolute_path — normal paths still work
  • Full test suite passes with cargo test --features sqlite-provider

@zfarrell zfarrell merged commit ca92c15 into main Apr 3, 2026
5 checks passed
@zfarrell zfarrell deleted the fix/path-traversal-keys branch April 3, 2026 19:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@zfarrell