core/cli - Forgejo: Beyond coding. We Forge.

core/cli

Fork 0

Commit graph

Author	SHA1	Message	Date
Claude	5de7ee4fb8	fix(security): sanitize path components in journal logging (#46 ) Prevent path traversal in Journal.Append() by validating RepoOwner and RepoName before using them in file paths. Malicious values like "../../etc/cron.d" could previously write outside the journal baseDir. Defence layers: - Reject inputs containing path separators (/ or \) - Reject ".." and "." traversal components - Validate against safe character regex ^[a-zA-Z0-9][a-zA-Z0-9._-]*$ - Verify resolved absolute path stays within baseDir Closes #46 CVSS 6.3 — OWASP A01:2021-Broken Access Control Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-16 05:53:52 +00:00
Snider	dff1b63d4d	feat(jobrunner): add automated PR workflow system (#329 ) - Core poller: 5min cycle, journal-backed state, signal dispatch - GitHub client: PR fetching, child issue enumeration - 11 action handlers: link/publish/merge/tick/resolve/etc. - core-ide: headless mode + MCP handler + systemd service - 39 tests, all passing	2026-02-05 10:36:21 +00:00

Author

SHA1

Message

Date

Claude

5de7ee4fb8

fix(security): sanitize path components in journal logging (#46 )

Prevent path traversal in Journal.Append() by validating RepoOwner and
RepoName before using them in file paths. Malicious values like
"../../etc/cron.d" could previously write outside the journal baseDir.

Defence layers:
- Reject inputs containing path separators (/ or \)
- Reject ".." and "." traversal components
- Validate against safe character regex ^[a-zA-Z0-9][a-zA-Z0-9._-]*$
- Verify resolved absolute path stays within baseDir

Closes #46
CVSS 6.3 — OWASP A01:2021-Broken Access Control

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-16 05:53:52 +00:00

Snider

dff1b63d4d

feat(jobrunner): add automated PR workflow system (#329 )

- Core poller: 5min cycle, journal-backed state, signal dispatch
- GitHub client: PR fetching, child issue enumeration
- 11 action handlers: link/publish/merge/tick/resolve/etc.
- core-ide: headless mode + MCP handler + systemd service
- 39 tests, all passing

2026-02-05 10:36:21 +00:00

2 commits