Skip to content

Fix variable shadowing and linting violations in security fix #8657

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
Copilot wants to merge 3 commits into from
Closed

Fix variable shadowing and linting violations in security fix #8657

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
38ae87e
Security fix: Prevent path traversal in workflow description reader
github-actions[bot] Jan 2, 2026
df66045
Initial plan
Copilot Jan 2, 2026
227b1bf
fix: format and lint Go code
Copilot Jan 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion pkg/cli/compile_integration_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ package cli

import (
"bytes"
"context"
"io"
"os"
"os/exec"
Expand Down
17 changes: 13 additions & 4 deletions pkg/cli/completions.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,16 +15,25 @@ var completionsLog = logger.New("cli:completions")

// getWorkflowDescription extracts the description field from a workflow's frontmatter
// Returns empty string if the description is not found or if there's an error reading the file
func getWorkflowDescription(filepath string) string {
content, err := os.ReadFile(filepath)
func getWorkflowDescription(filePath string) string {
// Sanitize the filepath to prevent path traversal attacks
cleanPath := filepath.Clean(filePath)

// Verify the path is absolute to prevent relative path traversal
if !filepath.IsAbs(cleanPath) {
completionsLog.Printf("Invalid workflow file path (not absolute): %s", filePath)
return ""
}

content, err := os.ReadFile(cleanPath)
if err != nil {
completionsLog.Printf("Failed to read workflow file %s: %v", filepath, err)
completionsLog.Printf("Failed to read workflow file %s: %v", cleanPath, err)
return ""
}

result, err := parser.ExtractFrontmatterFromContent(string(content))
if err != nil {
completionsLog.Printf("Failed to parse frontmatter from %s: %v", filepath, err)
completionsLog.Printf("Failed to parse frontmatter from %s: %v", filePath, err)
return ""
}

Expand Down
6 changes: 3 additions & 3 deletions pkg/cli/interfaces_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,21 +27,21 @@ func TestCommandProviderInterface(t *testing.T) {
t.Run("GenBashCompletion", func(t *testing.T) {
var buf bytes.Buffer
err := provider.GenBashCompletion(&buf)
assert.NoError(t, err, "GenBashCompletion should not error")
require.NoError(t, err, "GenBashCompletion should not error")
assert.NotEmpty(t, buf.String(), "GenBashCompletion should generate content")
})

t.Run("GenZshCompletion", func(t *testing.T) {
var buf bytes.Buffer
err := provider.GenZshCompletion(&buf)
assert.NoError(t, err, "GenZshCompletion should not error")
require.NoError(t, err, "GenZshCompletion should not error")
assert.NotEmpty(t, buf.String(), "GenZshCompletion should generate content")
})

t.Run("GenFishCompletion", func(t *testing.T) {
var buf bytes.Buffer
err := provider.GenFishCompletion(&buf, true)
assert.NoError(t, err, "GenFishCompletion should not error")
require.NoError(t, err, "GenFishCompletion should not error")
assert.NotEmpty(t, buf.String(), "GenFishCompletion should generate content")
})
}
Expand Down
1 change: 0 additions & 1 deletion pkg/cli/run_command_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@
package cli

import (
"context"
"fmt"
"strings"
"testing"
Expand Down