Skip to content

fix: harden Google Drive integration (M-05, M-06)#17

Open
riaworks wants to merge 1 commit intothiagofinch:mainfrom
riaworks:fix/gdrive-path-validation
Open

fix: harden Google Drive integration (M-05, M-06)#17
riaworks wants to merge 1 commit intothiagofinch:mainfrom
riaworks:fix/gdrive-path-validation

Conversation

@riaworks
Copy link

@riaworks riaworks commented Mar 2, 2026

Summary

Hardens Google Drive integration paths. Part of the Security Remediation Plan (PR 5 of 7).

M-05: Upload Path Restriction (gdrive_sync.py, convert.py)

  • Path validation added to upload_file() and convert() methods
  • Only files under allowed directories can be uploaded/converted:
    • knowledge/, docs/, agents/, core/, logs/
  • Uses Path.resolve() + relative_to() for path traversal prevention
  • Prevents uploading sensitive files (.env, credentials, SSH keys) to Google Drive

M-06: OAuth Credential Path Fix (reauth.py)

  • Replaced Path(r"~/.config/...") with Path.home() / ".config" / ...
  • Raw string r"~" does NOT expand ~ — it stays as literal tilde
  • Path.home() correctly resolves to user home directory on all platforms

Files Changed

File Change
.claude/skills/sync-docs/gdrive_sync.py +35 lines: path validation function + upload guard
.claude/skills/convert-to-company-docs/convert.py +32 lines: path validation function + convert guard
.claude/skills/sync-docs/reauth.py 3 lines changed: Path.home() instead of raw string

Security Properties

  • No new dependencies: Uses only Python stdlib (pathlib, os)
  • Blocks with clear error message: Shows which directories are allowed
  • Cross-platform: Path.resolve() and Path.home() work on Windows/macOS/Linux
  • No exec/eval/os.system: Zero dynamic code execution

🤖 Generated with Claude Code

@riaworks @claude
fix: harden Google Drive integration (M-05, M-06)
3cdcb34 
M-05: Add path validation to upload_file() in gdrive_sync.py and
convert() in convert.py. Only files under allowed directories
(knowledge/, docs/, agents/, core/, logs/) can be uploaded or
converted. Prevents uploading sensitive files (.env, credentials)
to Google Drive. Uses Path.resolve() + relative_to() for traversal
prevention.

M-06: Fix OAuth credential paths in reauth.py. Replace
Path(r"~/.config/...") (raw string, ~ not expanded) with
Path.home() / ".config" / ... for correct cross-platform expansion.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@riaworks riaworks requested a review from thiagofinch as a code owner March 2, 2026 14:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thiagofinch thiagofinch Awaiting requested review from thiagofinch thiagofinch is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@riaworks