fix(security): address code review findings

- mkdocs-deploy.yml: move permissions from workflow level to job level
  (build job: contents:read; deploy job: pages:write, id-token:write)
  to follow least-privilege principle
- examples/build_demo_db.py: add _validate_db_path() to reject path
  traversal (../) in CLI-provided database paths
- scripts/_create_demo_db.py: add same path traversal validation
- package.json: commit package-lock.json for reproducible ctxlint
  dependency resolution (remove from .gitignore)

Author: sunbos

.github/workflows/mkdocs-deploy.yml

@@ -9,18 +9,15 @@ on:
       - '.github/workflows/mkdocs-deploy.yml'
   workflow_dispatch:
 
-permissions:
-  contents: read
-  pages: write
-  id-token: write
-
 concurrency:
   group: pages
   cancel-in-progress: false
 
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5
@@ -41,6 +38,9 @@ jobs:
   deploy:
     needs: build
     runs-on: ubuntu-latest
+    permissions:
+      pages: write
+      id-token: write
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}

.gitignore

@@ -78,7 +78,6 @@ examples/notebooks/batch_config.yaml
 
 # Node.js (for ctxlint)
 node_modules/
-package-lock.json
 
 # mkdocs build output (deployed via GitHub Actions, not committed)
 site/

examples/build_demo_db.py

@@ -136,10 +136,18 @@
 """
 
 # 演示数据库中预期的表
-_EXPECTED_TABLES = frozenset({
-    "organizations", "members", "projects", "tasks",
-    "reviews", "tags", "task_tags", "attachments",
-})
+_EXPECTED_TABLES = frozenset(
+    {
+        "organizations",
+        "members",
+        "projects",
+        "tasks",
+        "reviews",
+        "tags",
+        "task_tags",
+        "attachments",
+    }
+)
 
 # ---------------------------------------------------------------------------
 # 公开 API
@@ -149,6 +157,22 @@
 _DEFAULT_DB_PATH = _SCRIPT_DIR / "sqlseed_demo.db"
 
 
+def _validate_db_path(path: Path) -> Path:
+    """Validate database path to prevent path traversal and unsafe locations.
+
+    Ensures the resolved path stays within the script's parent directory tree
+    or is an absolute path explicitly provided by the caller (not relative ../).
+    """
+    resolved = path.resolve()
+    # Reject paths that escape to parent directories via relative ../ traversal
+    # when the input was a relative path
+    if not path.is_absolute():
+        rel_input = str(path).replace("\\", "/")
+        if rel_input.startswith("../") or "/../" in rel_input:
+            raise ValueError(f"Path traversal not allowed: {path}")
+    return resolved
+
+
 def ensure_db(db_path: str | Path | None = None) -> Path:
     """确保演示数据库存在且 schema 正确。
 
@@ -165,32 +189,27 @@ def ensure_db(db_path: str | Path | None = None) -> Path:
     Returns:
         数据库文件的绝对路径。
     """
-    path = Path(db_path) if db_path else _DEFAULT_DB_PATH
+    path = _validate_db_path(Path(db_path) if db_path else _DEFAULT_DB_PATH)
 
     if path.exists():
         conn = sqlite3.connect(str(path))
-        existing = {
-            r[0]
-            for r in conn.execute(
-                "SELECT name FROM sqlite_master WHERE type='table'"
-            ).fetchall()
-        }
+        existing = {r[0] for r in conn.execute("SELECT name FROM sqlite_master WHERE type='table'").fetchall()}
         if _EXPECTED_TABLES.issubset(existing):
             conn.close()
-            return path.resolve()
+            return path
         # Schema 不完整 — 修复
         conn.executescript(SCHEMA_SQL)
         conn.commit()
         conn.close()
-        return path.resolve()
+        return path
 
     # 数据库不存在 — 仅创建 schema
     path.parent.mkdir(parents=True, exist_ok=True)
     conn = sqlite3.connect(str(path))
     conn.executescript(SCHEMA_SQL)
     conn.commit()
     conn.close()
-    return path.resolve()
+    return path
 
 
 def build(db_path: str | Path | None = None) -> Path:
@@ -204,7 +223,7 @@ def build(db_path: str | Path | None = None) -> Path:
     Returns:
         创建的数据库文件路径。
     """
-    path = Path(db_path) if db_path else _DEFAULT_DB_PATH
+    path = _validate_db_path(Path(db_path) if db_path else _DEFAULT_DB_PATH)
     if path.exists():
         path.unlink()
 
@@ -213,7 +232,7 @@ def build(db_path: str | Path | None = None) -> Path:
     conn.executescript(SCHEMA_SQL)
     conn.commit()
     conn.close()
-    return path.resolve()
+    return path
 
 
 if __name__ == "__main__":

package-lock.json

@@ -7,9 +7,21 @@
 from pathlib import Path
 
 
+def _validate_db_path(path: Path) -> Path:
+    """Validate database path to prevent path traversal attacks.
+
+    Rejects relative paths that escape to parent directories via ../.
+    """
+    if not path.is_absolute():
+        rel_input = str(path).replace("\\", "/")
+        if rel_input.startswith("../") or "/../" in rel_input:
+            raise ValueError(f"Path traversal not allowed: {path}")
+    return path.resolve()
+
+
 def main() -> None:
     db_path_str = sys.argv[1] if len(sys.argv) > 1 else "quickstart_demo.db"
-    db_path = Path(db_path_str)
+    db_path = _validate_db_path(Path(db_path_str))
     if db_path.exists():
         db_path.unlink()