Skip to content

fix: block path traversal in pattern name lookup#2123

Open
OdinKral wants to merge 1 commit into
danielmiessler:mainfrom
OdinKral:fix/pattern-path-traversal
Open

fix: block path traversal in pattern name lookup#2123
OdinKral wants to merge 1 commit into
danielmiessler:mainfrom
OdinKral:fix/pattern-path-traversal

Conversation

@OdinKral
Copy link
Copy Markdown

@OdinKral OdinKral commented May 16, 2026

Summary

  • getFromDB joined user-supplied pattern names directly into filepath.Join with no sanitisation, allowing names like ../etc/passwd to escape the patterns directory
  • Added a strings.Contains(name, "..") guard at the top of getFromDB that returns an error immediately
  • Added pattern_invalid_name i18n key to all 11 locale files (English + 10 translations)
  • Added TestGetFromDB_PathTraversal test covering 5 traversal variants

Closes #2094.

Test plan

  • go test ./internal/plugins/db/fsdb/... passes with new TestGetFromDB_PathTraversal test
  • Normal pattern names (no ..) continue to work
  • Names with .. anywhere return an error containing "invalid pattern name"

🤖 Generated with Claude Code

@claude
fix: block path traversal in pattern name lookup (closes danielmiessl…
4bc80c5 
…er#2094)

Pattern names containing ".." could be used to escape the patterns
directory and read arbitrary files via filepath.Join. Guard added at
the top of getFromDB; i18n key pattern_invalid_name added to all
11 locale files; test cases cover all common traversal variants.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Harden pattern name input against path traversal in getFromDB

1 participant

@OdinKral