You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
refactor(connect): undo takes a validated backup basename, path resolved server-side
CodeQL flagged path injection at the connect read() seam: the undo request's
user-supplied backup_path flowed into os.ReadFile. Rather than sanitize a
client-controlled path, stop trusting one entirely.
The request now carries only backup_name — the bare filename of the backup the
connect returned. Undo resolves the full path itself by joining it with THIS
client's own config directory (derived from the client registry, never from the
request), after rejecting anything whose filepath.Base differs from the input
and requiring the strict "<config-basename>.bak." prefix. The user input can no
longer contribute a directory component, so traversal is impossible by
construction and the taint path breaks at the Base()==input guard + constant-dir
join.
- API: UndoConnectRequest.BackupPath -> BackupName (json backup_name); server
resolves + validates; unknown basename still 404, path-shaped name -> 400.
- Frontend: api.undoConnectClient sends filepath.Base (strips / and \) so both
wizard and ConnectModal call sites emit a bare name; new connect-undo-api spec
asserts the wire payload.
- Docs + OpenAPI regenerated for backup_name.
- Tests: absolute path rejected, separators-in-name rejected, unknown name 404,
path-shaped name -> 400 at the HTTP boundary.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
// @Param body body UndoConnectRequest false "Undo parameters (server_name, backup_path from the preceding connect)"
288
+
// @Param body body UndoConnectRequest false "Undo parameters (server_name, backup_name = the bare filename of the backup the preceding connect returned)"
0 commit comments