fix: validate change name format to prevent path traversal

TabishB · TabishB · commit acdce5b2ba76 · 2025-12-29T16:49:09.000+11:00
Add validation in validateChangeExists() to ensure --change parameter
is a valid kebab-case ID before constructing file paths. This prevents
path traversal attacks like --change "../foo" or --change "/etc/passwd".

- Reuses existing validateChangeName() from change-utils.ts
- Adds 3 tests for path traversal, absolute paths, and slashes
diff --git a/src/commands/artifact-workflow.ts b/src/commands/artifact-workflow.ts
@@ -100,6 +100,12 @@ async function validateChangeExists(
     );
   }
 
+  // Validate change name format to prevent path traversal
+  const nameValidation = validateChangeName(changeName);
+  if (!nameValidation.valid) {
+    throw new Error(`Invalid change name '${changeName}': ${nameValidation.error}`);
+  }
+
   // Check directory existence directly
   const changePath = path.join(changesPath, changeName);
   const exists = fs.existsSync(changePath) && fs.statSync(changePath).isDirectory();
diff --git a/test/commands/artifact-workflow.test.ts b/test/commands/artifact-workflow.test.ts
@@ -164,6 +164,27 @@ describe('artifact-workflow CLI commands', () => {
       const output = getOutput(result);
       expect(output).toContain("Schema 'unknown' not found");
     });
+
+    it('rejects path traversal in change name', async () => {
+      const result = await runCLI(['status', '--change', '../foo'], { cwd: tempDir });
+      expect(result.exitCode).toBe(1);
+      const output = getOutput(result);
+      expect(output).toContain('Invalid change name');
+    });
+
+    it('rejects absolute path in change name', async () => {
+      const result = await runCLI(['status', '--change', '/etc/passwd'], { cwd: tempDir });
+      expect(result.exitCode).toBe(1);
+      const output = getOutput(result);
+      expect(output).toContain('Invalid change name');
+    });
+
+    it('rejects slashes in change name', async () => {
+      const result = await runCLI(['status', '--change', 'foo/bar'], { cwd: tempDir });
+      expect(result.exitCode).toBe(1);
+      const output = getOutput(result);
+      expect(output).toContain('Invalid change name');
+    });
   });
 
   describe('next command', () => {
