Skip to content

Fix security and correctness issues in artifacts_download#780

Merged
johnbatty merged 1 commit into
microsoft:mainfrom
johnbatty:worktree-bridge-cse_01P2pgisDWr9prF1SjBvL1s4
Apr 25, 2026
Merged

Fix security and correctness issues in artifacts_download#780
johnbatty merged 1 commit into
microsoft:mainfrom
johnbatty:worktree-bridge-cse_01P2pgisDWr9prF1SjBvL1s4

Conversation

@johnbatty

Copy link
Copy Markdown
Collaborator
  • Use path_segments_mut() for URL construction to prevent path injection
  • Reject manifest entries with .. path components (path traversal)
  • Normalize blob ID map keys to uppercase for consistent matching
  • Batch-resolve all file root blob URLs in one request
  • Simplify nibble_pos type in decompressor (bool was unused)
  • Cap deserialization error previews at 512 bytes
  • Guard Vec::with_capacity against i64->usize overflow

- Use path_segments_mut() for URL construction to prevent path injection
- Reject manifest entries with .. path components (path traversal)
- Normalize blob ID map keys to uppercase for consistent matching
- Batch-resolve all file root blob URLs in one request
- Simplify nibble_pos type in decompressor (bool was unused)
- Cap deserialization error previews at 512 bytes
- Guard Vec::with_capacity against i64->usize overflow

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@johnbatty

Copy link
Copy Markdown
Collaborator Author

@cataggar Please could you review these updates from Claude - all look sensible to me, but I'm not able to test them.

@johnbatty johnbatty merged commit ea17a77 into microsoft:main Apr 25, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant