Applying review recommendations

2026-03-16 18:33:07 +00:00 · 2026-03-13 10:31:27 -05:00
parent 1a0f8b17ea
commit 13a46dd8b2
1 changed files with 13 additions and 0 deletions
--- a/src/specify_cli/presets.py
+++ b/src/specify_cli/presets.py
@@ -139,6 +139,15 @@ class PresetManifest:
                    f"must be one of {sorted(VALID_PRESET_TEMPLATE_TYPES)}"
                )

+            # Validate file path safety: must be relative, no parent traversal
+            file_path = tmpl["file"]
+            normalized = os.path.normpath(file_path)
+            if os.path.isabs(normalized) or normalized.startswith(".."):
+                raise PresetValidationError(
+                    f"Invalid template file path '{file_path}': "
+                    "must be a relative path within the preset directory"
+                )
+
            # Validate template name format
            if tmpl["type"] == "command":
                # Commands use dot notation (e.g. speckit.specify)
@@ -921,6 +930,10 @@ class PresetCatalog:
            raise PresetValidationError(
                f"Failed to read catalog config {config_path}: {e}"
            )
+        if not isinstance(data, dict):
+            raise PresetValidationError(
+                f"Invalid catalog config {config_path}: expected a mapping at root, got {type(data).__name__}"
+            )
        catalogs_data = data.get("catalogs", [])
        if not catalogs_data:
            return None