From 7d94c5570f980b5ad1dfadde642bf9786e733b7e Mon Sep 17 00:00:00 2001
From: Jordan Suber <38364814+Notoriousjayy@users.noreply.github.com>
Date: Sun, 18 Jan 2026 18:38:40 -0500
Subject: [PATCH] Autofix: Code scanning alert #4

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 scripts/triage_and_act.py | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/scripts/triage_and_act.py b/scripts/triage_and_act.py
index 421ee1d..d106b53 100644
--- a/scripts/triage_and_act.py
+++ b/scripts/triage_and_act.py
@@ -150,7 +150,18 @@ def main() -> int:
 
     logging.basicConfig(level=logging.INFO, format="%(asctime)s %(levelname)s %(message)s")
 
-    rules = json.loads(Path(args.rules).read_text(encoding="utf-8"))
+    base_dir = Path(__file__).resolve().parent
+    rules_path = Path(args.rules)
+    if not rules_path.is_absolute():
+        rules_path = base_dir / rules_path
+    rules_path = rules_path.resolve()
+    try:
+        # Ensure the rules file is within the base directory
+        rules_path.relative_to(base_dir)
+    except ValueError:
+        raise ValueError(f"Rules file path '{rules_path}' is not allowed; it must be within '{base_dir}'")
+
+    rules = json.loads(rules_path.read_text(encoding="utf-8"))
     scope = rules["scope"]
     rest, cs = create_clients()