Fix path traversal vulnerability and add build/lint convenience scripts (#65)

* Initial plan

* Fix PathHelpers security vulnerability and add build/lint scripts

Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com>

* Add missing sections to README (Building from Source, Project Structure, CI/CD Pipeline)

Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com>

* Fix path traversal vulnerability and duplicate README heading

Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com>

* Remove Building from Source, Project Structure, and CI/CD Pipeline sections from README

Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com>

Author: Copilot

build.bat

@@ -0,0 +1,16 @@
+@echo off
+setlocal
+
+REM Restore dependencies
+dotnet restore
+if errorlevel 1 exit /b 1
+
+REM Build the project
+dotnet build --configuration Release
+if errorlevel 1 exit /b 1
+
+REM Run tests
+dotnet test --configuration Release
+if errorlevel 1 exit /b 1
+
+echo Build completed successfully!

build.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+set -e
+
+# Restore dependencies
+dotnet restore
+
+# Build the project
+dotnet build --configuration Release
+
+# Run tests
+dotnet test --configuration Release

lint.bat

@@ -0,0 +1,16 @@
+@echo off
+setlocal
+
+REM Run markdown linter
+call npx markdownlint-cli2 "**/*.md"
+if errorlevel 1 exit /b 1
+
+REM Run spell checker
+call npx cspell "**/*.{md,cs}"
+if errorlevel 1 exit /b 1
+
+REM Run YAML linter
+call yamllint .
+if errorlevel 1 exit /b 1
+
+echo Linting completed successfully!

lint.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+set -e
+
+# Run markdown linter
+npx markdownlint-cli2 "**/*.md"
+
+# Run spell checker
+npx cspell "**/*.{md,cs}"
+
+# Run YAML linter
+yamllint .

src/DemaConsulting.BuildMark/PathHelpers.cs

@@ -44,6 +44,21 @@ internal static string SafePathCombine(string basePath, string relativePath)
         // 1. relativePath doesn't contain ".." (path traversal)
         // 2. relativePath is not an absolute path (IsPathRooted check)
         // This ensures the combined path will always be under basePath
-        return Path.Combine(basePath, relativePath);
+        var combinedPath = Path.Combine(basePath, relativePath);
+
+        // Additional security validation: ensure the combined path is still under the base path.
+        // This defense-in-depth approach protects against edge cases that might bypass the
+        // initial validation, ensuring the final path stays within the intended directory.
+        var fullBasePath = Path.GetFullPath(basePath);
+        var fullCombinedPath = Path.GetFullPath(combinedPath);
+
+        // Use GetRelativePath to verify the relationship between paths
+        var relativeCheck = Path.GetRelativePath(fullBasePath, fullCombinedPath);
+        if (relativeCheck.StartsWith("..") || Path.IsPathRooted(relativeCheck))
+        {
+            throw new ArgumentException($"Invalid path component: {relativePath}", nameof(relativePath));
+        }
+
+        return combinedPath;
     }
 }