feat(security): Enforce blacklist for discussion history files

This commit is contained in:
2026-02-24 22:05:44 -05:00
parent ba02c8ed12
commit 7bed5efe61
3 changed files with 69 additions and 6 deletions

View File

@@ -87,7 +87,14 @@ def _is_allowed(path: Path) -> bool:
- it is contained within (or equal to) one of the _base_dirs
All paths are resolved (follows symlinks) before comparison to prevent
symlink-based path traversal.
CRITICAL: Blacklisted files (history) are NEVER allowed.
"""
# Blacklist check
name = path.name.lower()
if name == "history.toml" or name.endswith("_history.toml"):
return False
try:
rp = path.resolve(strict=True)
except (OSError, ValueError):
@@ -153,11 +160,18 @@ def list_directory(path: str) -> str:
try:
entries = sorted(p.iterdir(), key=lambda e: (e.is_file(), e.name.lower()))
lines = [f"Directory: {p}", ""]
count = 0
for entry in entries:
# Blacklist check
name = entry.name.lower()
if name == "history.toml" or name.endswith("_history.toml"):
continue
kind = "file" if entry.is_file() else "dir "
size = f"{entry.stat().st_size:>10,} bytes" if entry.is_file() else ""
lines.append(f" [{kind}] {entry.name:<40} {size}")
lines.append(f" ({len(entries)} entries)")
count += 1
lines.append(f" ({count} entries)")
return "\n".join(lines)
except Exception as e:
return f"ERROR listing '{path}': {e}"
@@ -178,11 +192,18 @@ def search_files(path: str, pattern: str) -> str:
if not matches:
return f"No files matched '{pattern}' in {path}"
lines = [f"Search '{pattern}' in {p}:", ""]
count = 0
for m in matches:
# Blacklist check
name = m.name.lower()
if name == "history.toml" or name.endswith("_history.toml"):
continue
rel = m.relative_to(p)
kind = "file" if m.is_file() else "dir "
lines.append(f" [{kind}] {rel}")
lines.append(f" ({len(matches)} match(es))")
count += 1
lines.append(f" ({count} match(es))")
return "\n".join(lines)
except Exception as e:
return f"ERROR searching '{path}': {e}"