Skip to content

fix(security): sanitize file paths in save-contract.ts#248

Open
JackBinswitch-btc wants to merge 1 commit intoaibtcdev:mainfrom
JackBinswitch-btc:fix/path-traversal-save-contract
Open

fix(security): sanitize file paths in save-contract.ts#248
JackBinswitch-btc wants to merge 1 commit intoaibtcdev:mainfrom
JackBinswitch-btc:fix/path-traversal-save-contract

Conversation

@JackBinswitch-btc
Copy link

@JackBinswitch-btc JackBinswitch-btc commented Mar 9, 2026

Summary

  • Add input validation for tokenSymbol, network, and contractName using alphanumeric + underscore + hyphen regex (/^[a-zA-Z0-9_-]+$/)
  • Add resolved path check (assertWithinDirectory) to ensure all output files stay within the intended generated/ directory
  • Applied to both saveAgentAccountToFile and saveDaoContractsToFiles functions

Closes #246

Test plan

  • Verify normal contract saving still works with valid names (e.g. my-token, mainnet)
  • Verify that path traversal inputs (e.g. ../../etc) are rejected with a clear error
  • Verify that empty strings are rejected
  • Verify existing tests pass

🤖 Generated with Claude Code

@claude
fix(security): sanitize file paths in save-contract.ts
4f462d5 
Add input validation for tokenSymbol, network, and contractName
parameters using alphanumeric + underscore + hyphen regex. Add resolved
path checks to ensure output stays within the intended directory.

Closes aibtcdev#246

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

security: path traversal in save-contract.ts file generation

1 participant

@JackBinswitch-btc