Fix(security): Prevent path traversal in LaunchEditor

mcepl · mcepl · commit 9bddc7334d24 · 2025-12-06T14:52:01.000+01:00
The LaunchEditor function was vulnerable to path traversal (G304, CWE-22).
The 'fileName' parameter could be manipulated to access files outside
the intended local storage root.

The fix adds a check to ensure that the resolved path remains within
the local storage root, preventing unauthorized file access.
diff --git a/commands/input/input.go b/commands/input/input.go
@@ -12,6 +12,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"strings"
 
 	"github.com/go-git/go-billy/v5/util"
 
@@ -51,6 +52,9 @@ func LaunchEditor(repo repository.RepoCommonStorage, fileName string) (string, e
 	// bypass the interface but that's ok: we need that because we are communicating
 	// the absolute path to an external program
 	path := filepath.Join(repo.LocalStorage().Root(), fileName)
+	if !strings.HasPrefix(path, repo.LocalStorage().Root()) {
+		return "", fmt.Errorf("security: path traversal attempt")
+	}
 
 	cmd, err := startInlineCommand(editor, path)
 	if err != nil {
