core/cli
8
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions 1
cli/pkg/jobrunner
History
Claude 518da273f6 fix(security): sanitize path components in journal logging (#46) 
Prevent path traversal in Journal.Append() by validating RepoOwner and
RepoName before using them in file paths. Malicious values like
"../../etc/cron.d" could previously write outside the journal baseDir.

Defence layers:
- Reject inputs containing path separators (/ or \)
- Reject ".." and "." traversal components
- Validate against safe character regex ^[a-zA-Z0-9][a-zA-Z0-9._-]*$
- Verify resolved absolute path stays within baseDir

Closes #46
CVSS 6.3 — OWASP A01:2021-Broken Access Control

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-16 05:53:52 +00:00
..
forgejo fix(agentci): use log.E() error pattern, add Charm SSH TODOs 2026-02-09 11:15:11 +00:00
handlers fix(agentci): resolve agents by Forgejo username, not config key 2026-02-10 03:08:17 +00:00
journal.go fix(security): sanitize path components in journal logging (#46) 2026-02-16 05:53:52 +00:00
journal_test.go fix(security): sanitize path components in journal logging (#46) 2026-02-16 05:53:52 +00:00
poller.go feat(jobrunner): add automated PR workflow system (#329) 2026-02-05 10:36:21 +00:00
poller_test.go feat(jobrunner): add automated PR workflow system (#329) 2026-02-05 10:36:21 +00:00
types.go feat(agentci): Clotho orchestrator and security hardening 2026-02-10 03:08:16 +00:00
types_test.go feat(jobrunner): add automated PR workflow system (#329) 2026-02-05 10:36:21 +00:00