fix: improve path matching and org config validation

Changes: - Support path patterns without ./ prefix (e.g., 'scripts/test.sh') - Reject non-string or empty command names in org config - Add 8 new test cases (5 for path patterns, 3 for validation) Details: - matches_pattern() now treats any pattern with '/' as a path pattern - load_org_config() validates that cmd['name'] is a non-empty string - All 148 unit tests + 9 integration tests passing Security hardening: Prevents invalid command names from reaching pattern matching logic, reducing attack surface.
2026-01-30 06:12:06 +00:00 · 2026-01-22 15:35:00 +01:00
parent f1b48be10e
commit 996ac0065c
3 changed files with 62 additions and 7 deletions
--- a/security.py
+++ b/security.py
@@ -387,8 +387,8 @@ def matches_pattern(command: str, pattern: str) -> bool:
            return False
        return command.startswith(prefix)

-    # Local script paths (./scripts/build.sh matches build.sh)
-    if pattern.startswith("./") or pattern.startswith("../"):
+    # Path patterns (./scripts/build.sh, scripts/test.sh, etc.)
+    if "/" in pattern:
        # Extract the script name from the pattern
        pattern_name = os.path.basename(pattern)
        return command == pattern or command == pattern_name or command.endswith("/" + pattern_name)
@@ -442,6 +442,9 @@ def load_org_config() -> Optional[dict]:
                    return None
                if "name" not in cmd:
                    return None
+                # Validate that name is a non-empty string
+                if not isinstance(cmd["name"], str) or cmd["name"].strip() == "":
+                    return None

        # Validate blocked_commands if present
        if "blocked_commands" in config: