Commit 75992e3
Test User
fix(security): add path validation and handle branch creation race condition
Security fixes:
- Add validate_file_paths() to prevent directory traversal attacks
in commit endpoint (rejects absolute paths, '..' segments, and
paths that escape the workspace via symlink resolution)
- Handle branch creation race condition by returning 409 Conflict
instead of 500 when concurrent requests create the same branch
Changes:
- Add os import for path validation
- Add validate_file_paths() function with commonpath check
- Call path validation before commit_task_changes()
- Update create_branch to return 409 for "already exists" errors
- Update test to expect 409 for duplicate branch creation
- Add 3 security tests for path validation (absolute, traversal, escape)
Test coverage: 50 tests passing1 parent 4765445 commit 75992e3
2 files changed
+112
-6
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
9 | 9 | | |
10 | 10 | | |
11 | 11 | | |
| 12 | + | |
12 | 13 | | |
13 | 14 | | |
14 | 15 | | |
| |||
66 | 67 | | |
67 | 68 | | |
68 | 69 | | |
| 70 | + | |
| 71 | + | |
| 72 | + | |
| 73 | + | |
| 74 | + | |
| 75 | + | |
| 76 | + | |
| 77 | + | |
| 78 | + | |
| 79 | + | |
| 80 | + | |
| 81 | + | |
| 82 | + | |
| 83 | + | |
| 84 | + | |
| 85 | + | |
| 86 | + | |
| 87 | + | |
| 88 | + | |
| 89 | + | |
| 90 | + | |
| 91 | + | |
| 92 | + | |
| 93 | + | |
| 94 | + | |
| 95 | + | |
| 96 | + | |
| 97 | + | |
| 98 | + | |
| 99 | + | |
| 100 | + | |
| 101 | + | |
| 102 | + | |
| 103 | + | |
| 104 | + | |
| 105 | + | |
| 106 | + | |
| 107 | + | |
| 108 | + | |
| 109 | + | |
| 110 | + | |
| 111 | + | |
| 112 | + | |
69 | 113 | | |
70 | 114 | | |
71 | 115 | | |
| |||
263 | 307 | | |
264 | 308 | | |
265 | 309 | | |
266 | | - | |
| 310 | + | |
267 | 311 | | |
268 | 312 | | |
| 313 | + | |
269 | 314 | | |
270 | 315 | | |
271 | 316 | | |
| |||
314 | 359 | | |
315 | 360 | | |
316 | 361 | | |
317 | | - | |
| 362 | + | |
| 363 | + | |
| 364 | + | |
| 365 | + | |
318 | 366 | | |
319 | 367 | | |
| 368 | + | |
| 369 | + | |
| 370 | + | |
| 371 | + | |
| 372 | + | |
| 373 | + | |
| 374 | + | |
| 375 | + | |
320 | 376 | | |
321 | 377 | | |
322 | 378 | | |
| |||
491 | 547 | | |
492 | 548 | | |
493 | 549 | | |
| 550 | + | |
| 551 | + | |
| 552 | + | |
| 553 | + | |
| 554 | + | |
| 555 | + | |
494 | 556 | | |
495 | 557 | | |
496 | 558 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
259 | 259 | | |
260 | 260 | | |
261 | 261 | | |
262 | | - | |
263 | | - | |
| 262 | + | |
| 263 | + | |
264 | 264 | | |
265 | 265 | | |
266 | 266 | | |
| |||
272 | 272 | | |
273 | 273 | | |
274 | 274 | | |
275 | | - | |
| 275 | + | |
276 | 276 | | |
277 | 277 | | |
278 | 278 | | |
279 | 279 | | |
280 | 280 | | |
281 | 281 | | |
282 | 282 | | |
283 | | - | |
| 283 | + | |
| 284 | + | |
284 | 285 | | |
285 | 286 | | |
286 | 287 | | |
| |||
599 | 600 | | |
600 | 601 | | |
601 | 602 | | |
| 603 | + | |
| 604 | + | |
| 605 | + | |
| 606 | + | |
| 607 | + | |
| 608 | + | |
| 609 | + | |
| 610 | + | |
| 611 | + | |
| 612 | + | |
| 613 | + | |
| 614 | + | |
| 615 | + | |
| 616 | + | |
| 617 | + | |
| 618 | + | |
| 619 | + | |
| 620 | + | |
| 621 | + | |
| 622 | + | |
| 623 | + | |
| 624 | + | |
| 625 | + | |
| 626 | + | |
| 627 | + | |
| 628 | + | |
| 629 | + | |
| 630 | + | |
| 631 | + | |
| 632 | + | |
| 633 | + | |
| 634 | + | |
| 635 | + | |
| 636 | + | |
| 637 | + | |
| 638 | + | |
| 639 | + | |
| 640 | + | |
| 641 | + | |
| 642 | + | |
| 643 | + | |
| 644 | + | |
| 645 | + | |
602 | 646 | | |
603 | 647 | | |
604 | 648 | | |
| |||
0 commit comments