ros/spec-kit
1
0
Fork 0
mirror of https://github.com/github/spec-kit.git synced 2026-03-19 20:03:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

Applying review recommendations

Browse Source
This commit is contained in:
Manfred Riem
2026-03-13 10:31:27 -05:00
parent 1a0f8b17ea
commit 13a46dd8b2
1 changed files with 13 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/specify_cli/presets.py
View File

@@ -139,6 +139,15 @@ class PresetManifest:
f"must be one of {sorted(VALID_PRESET_TEMPLATE_TYPES)}" f"must be one of {sorted(VALID_PRESET_TEMPLATE_TYPES)}"
) )
# Validate file path safety: must be relative, no parent traversal
file_path = tmpl["file"]
normalized = os.path.normpath(file_path)
if os.path.isabs(normalized) or normalized.startswith(".."):
raise PresetValidationError(
f"Invalid template file path '{file_path}': "
"must be a relative path within the preset directory"
)
# Validate template name format # Validate template name format
if tmpl["type"] == "command": if tmpl["type"] == "command":
# Commands use dot notation (e.g. speckit.specify) # Commands use dot notation (e.g. speckit.specify)
@@ -921,6 +930,10 @@ class PresetCatalog:
raise PresetValidationError( raise PresetValidationError(
f"Failed to read catalog config {config_path}: {e}" f"Failed to read catalog config {config_path}: {e}"
) )
if not isinstance(data, dict):
raise PresetValidationError(
f"Invalid catalog config {config_path}: expected a mapping at root, got {type(data).__name__}"
)
catalogs_data = data.get("catalogs", []) catalogs_data = data.get("catalogs", [])
if not catalogs_data: if not catalogs_data:
return None return None