Skip to content
This repository was archived by the owner on Jun 16, 2026. It is now read-only.
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .jules/sentinel.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@

## 2024-05-22 - [Fix path traversal vulnerability in module resolution]
**Vulnerability:** The manual path resolution fallback in the TypeScript extractor popped path components unconditionally when encountering `..` (ParentDir), ignoring edge cases where `..` escapes the root directory or when leading `..` components should be preserved.
Comment on lines +1 to +3
**Learning:** Manual path normalization logic must strictly follow semantic path construction and guard against unexpected component states like traversing above `RootDir` or losing relative paths like `../../foo`.
**Prevention:** Always validate the existing state of path components before modifying them during `ParentDir` handling, treating `RootDir` and `Prefix` as non-poppable, and preserving `ParentDir` when needed.
11 changes: 8 additions & 3 deletions crates/flow/src/incremental/extractors/typescript.rs
Original file line number Diff line number Diff line change
Expand Up @@ -807,9 +807,14 @@ impl TypeScriptDependencyExtractor {
let mut components = Vec::new();
for component in resolved.components() {
match component {
std::path::Component::ParentDir => {
components.pop();
}
std::path::Component::ParentDir => match components.last() {
Some(std::path::Component::RootDir)
| Some(std::path::Component::Prefix(_)) => {}
Comment on lines 807 to +812
Some(std::path::Component::Normal(_)) => {
components.pop();
}
_ => components.push(component),
},
std::path::Component::CurDir => {}
_ => components.push(component),
}
Expand Down
8 changes: 4 additions & 4 deletions crates/rule-engine/src/check_var.rs
Original file line number Diff line number Diff line change
Expand Up @@ -104,9 +104,9 @@ fn get_vars_from_rules<'r>(rule: &'r Rule, utils: &'r RuleRegistration) -> Rapid
vars
}

fn check_var_in_constraints<'r>(
fn check_var_in_constraints(
mut vars: RapidSet<String>,
constraints: &'r RapidMap<thread_ast_engine::meta_var::MetaVariableID, Rule>,
constraints: &RapidMap<thread_ast_engine::meta_var::MetaVariableID, Rule>,
) -> RResult<RapidSet<String>> {
for rule in constraints.values() {
for var in rule.defined_vars() {
Expand All @@ -125,9 +125,9 @@ fn check_var_in_constraints<'r>(
Ok(vars)
}

fn check_var_in_transform<'r>(
fn check_var_in_transform(
mut vars: RapidSet<String>,
transform: &'r Option<Transform>,
transform: &Option<Transform>,
) -> RResult<RapidSet<String>> {
let Some(transform) = transform else {
return Ok(vars);
Expand Down