Skip to content

fix(security): CWE-22 path traversal guard for CLI attachments#183

Merged
scottschreckengaust merged 3 commits into
mainfrom
fix/semgrep-path-traversal
May 26, 2026
Merged

fix(security): CWE-22 path traversal guard for CLI attachments#183
scottschreckengaust merged 3 commits into
mainfrom
fix/semgrep-path-traversal

Conversation

@scottschreckengaust
Copy link
Copy Markdown
Contributor

@scottschreckengaust scottschreckengaust commented May 26, 2026

Summary

  • Adds safeResolvePath() function that validates resolved paths stay within CWD before use
  • Replaces all raw path.resolve(userInput) calls in the attachment upload flow
  • Single nosemgrep suppression on the guard function itself (must resolve before it can validate)

Introduced by PR #176 (attachments feature) — semgrep's path-join-resolve-traversal rule flagged 3 call sites in cli/src/commands/submit.ts.

Test plan

  • tsc --noEmit compiles cleanly
  • semgrep scan --config auto reports 0 findings
  • Pre-commit hooks pass (eslint, gitleaks)
  • CI build passes
  • Paths outside CWD (e.g. ../../etc/passwd) are rejected with clear error

🤖 Generated with Claude Code

scottschreckengaust and others added 2 commits May 26, 2026 20:20
@scottschreckengaust @claude
fix(security): add path traversal guard for CLI attachment paths
1c39cf5 
Introduces safeResolvePath() that validates resolved paths stay within
the working directory (CWE-22 mitigation). All path.resolve(userInput)
call sites in the attachment upload flow now go through this guard.

The single nosemgrep suppression is on the guard function itself —
it must call path.resolve before it can validate the result.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@scottschreckengaust
Merge branch 'main' into fix/semgrep-path-traversal
fe7d85b
@scottschreckengaust scottschreckengaust marked this pull request as ready for review May 26, 2026 20:24
@scottschreckengaust scottschreckengaust requested a review from a team as a code owner May 26, 2026 20:24
@scottschreckengaust scottschreckengaust added this pull request to the merge queue May 26, 2026
Merged via the queue into main with commit d7db01c May 26, 2026
6 checks passed
@scottschreckengaust scottschreckengaust deleted the fix/semgrep-path-traversal branch May 26, 2026 20:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@krokoko krokoko krokoko approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@scottschreckengaust @krokoko