Skip to content

fix: validate skill and source names against path traversal#5

Open
Vishwaspatel2401 wants to merge 1 commit intobalgaly:masterfrom
Vishwaspatel2401:fix/path-traversal-validation
Open

fix: validate skill and source names against path traversal#5
Vishwaspatel2401 wants to merge 1 commit intobalgaly:masterfrom
Vishwaspatel2401:fix/path-traversal-validation

Conversation

@Vishwaspatel2401
Copy link
Copy Markdown

@Vishwaspatel2401 Vishwaspatel2401 commented May 5, 2026

Summary

Extends the existing prototype pollution protection in src/core/manifest.js to also block path traversal attacks in skill and source names.

Before: Only __proto__, constructor, and prototype were rejected.
After: Names containing .., /, \, %2F, or %5C are also rejected in both addSkill() and addSource().

Changes

  • Added INVALID_NAME_PATTERN constant to src/core/manifest.js
  • Applied validation in addSource() and addSkill() before writing to manifest

Testing

All 375 previously passing tests continue to pass. The 6 failing tests are pre-existing failures unrelated to this change.

@Vishwaspatel2401 @claude
fix: validate skill and source names against path traversal
059d766 
Extend the existing DANGEROUS_KEYS protection in addSkill() and
addSource() to also reject names containing path traversal sequences
(..  / \ and URL-encoded equivalents %2F %5C).

Co-Authored-By: Claude <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Vishwaspatel2401