Skip to content

fix(security): 2 improvements across 2 files#4453

Open
tomaioo wants to merge 2 commits intotemporalio:mainfrom
tomaioo:fix/security/build-script-allows-path-traversal-via-a
Open

fix(security): 2 improvements across 2 files#4453
tomaioo wants to merge 2 commits intotemporalio:mainfrom
tomaioo:fix/security/build-script-allows-path-traversal-via-a

Conversation

@tomaioo
Copy link
Copy Markdown

@tomaioo tomaioo commented Apr 18, 2026

Summary

fix(security): 2 improvements across 2 files

Problem

Severity: Medium | File: bin/ensure-ai-cookbook.js:L7

The output directory is derived from the AI_COOKBOOK_OUTPUT_DIR environment variable and joined directly into a filesystem path. An attacker (or misconfigured CI job) could supply values like ../../... to write outside the repository root when creating the placeholder file.

Solution

Validate and constrain AI_COOKBOOK_OUTPUT_DIR to an allowlisted subdirectory. Use path.resolve and enforce that the resolved path starts with WORKSPACE_ROOT (or a specific intended base directory) before writing.

Changes

  • bin/ensure-ai-cookbook.js (modified)
  • src/components/elements/CallToAction.js (modified)

┆Attachments: EDU-6224 fix(security): 2 improvements across 2 files

tomaioo added 2 commits April 17, 2026 17:11
- Security: Build script allows path traversal via AI_COOKBOOK_OUTPUT_DIR
- Security: Unvalidated href prop may enable javascript: URL injection

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
- Security: Build script allows path traversal via AI_COOKBOOK_OUTPUT_DIR
- Security: Unvalidated href prop may enable javascript: URL injection

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
@tomaioo tomaioo requested a review from a team as a code owner April 18, 2026 00:11
@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 18, 2026

@tomaioo is attempting to deploy a commit to the Temporal Team on Vercel.

A member of the Team first needs to authorize it.

@CLAassistant
Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants