diff --git a/pkg/cli/compile_integration_test.go b/pkg/cli/compile_integration_test.go index 7439a4fa33..8801f7a4f3 100644 --- a/pkg/cli/compile_integration_test.go +++ b/pkg/cli/compile_integration_test.go @@ -4,7 +4,6 @@ package cli import ( "bytes" - "context" "io" "os" "os/exec" diff --git a/pkg/cli/completions.go b/pkg/cli/completions.go index 0bcdee4cfb..d6bf390f0e 100644 --- a/pkg/cli/completions.go +++ b/pkg/cli/completions.go @@ -15,16 +15,25 @@ var completionsLog = logger.New("cli:completions") // getWorkflowDescription extracts the description field from a workflow's frontmatter // Returns empty string if the description is not found or if there's an error reading the file -func getWorkflowDescription(filepath string) string { - content, err := os.ReadFile(filepath) +func getWorkflowDescription(filePath string) string { + // Sanitize the filepath to prevent path traversal attacks + cleanPath := filepath.Clean(filePath) + + // Verify the path is absolute to prevent relative path traversal + if !filepath.IsAbs(cleanPath) { + completionsLog.Printf("Invalid workflow file path (not absolute): %s", filePath) + return "" + } + + content, err := os.ReadFile(cleanPath) if err != nil { - completionsLog.Printf("Failed to read workflow file %s: %v", filepath, err) + completionsLog.Printf("Failed to read workflow file %s: %v", cleanPath, err) return "" } result, err := parser.ExtractFrontmatterFromContent(string(content)) if err != nil { - completionsLog.Printf("Failed to parse frontmatter from %s: %v", filepath, err) + completionsLog.Printf("Failed to parse frontmatter from %s: %v", filePath, err) return "" } diff --git a/pkg/cli/interfaces_test.go b/pkg/cli/interfaces_test.go index ad066e3a4c..74566bd465 100644 --- a/pkg/cli/interfaces_test.go +++ b/pkg/cli/interfaces_test.go @@ -27,21 +27,21 @@ func TestCommandProviderInterface(t *testing.T) { t.Run("GenBashCompletion", func(t *testing.T) { var buf bytes.Buffer err := provider.GenBashCompletion(&buf) - assert.NoError(t, err, "GenBashCompletion should not error") + require.NoError(t, err, "GenBashCompletion should not error") assert.NotEmpty(t, buf.String(), "GenBashCompletion should generate content") }) t.Run("GenZshCompletion", func(t *testing.T) { var buf bytes.Buffer err := provider.GenZshCompletion(&buf) - assert.NoError(t, err, "GenZshCompletion should not error") + require.NoError(t, err, "GenZshCompletion should not error") assert.NotEmpty(t, buf.String(), "GenZshCompletion should generate content") }) t.Run("GenFishCompletion", func(t *testing.T) { var buf bytes.Buffer err := provider.GenFishCompletion(&buf, true) - assert.NoError(t, err, "GenFishCompletion should not error") + require.NoError(t, err, "GenFishCompletion should not error") assert.NotEmpty(t, buf.String(), "GenFishCompletion should generate content") }) } diff --git a/pkg/cli/run_command_test.go b/pkg/cli/run_command_test.go index 3c73035e2c..ceaaec4290 100644 --- a/pkg/cli/run_command_test.go +++ b/pkg/cli/run_command_test.go @@ -3,7 +3,6 @@ package cli import ( - "context" "fmt" "strings" "testing"