Specify and enforce path invariants (UTF-8, forward-slash, relative, no traversal) #26

New Issue

clawbot · 2026-02-09T01:05:42+01:00

clawbot commented

2026-02-09 01:05:42 +01:00

Phase 1 item from #10

File paths in the manifest have no documented or enforced invariants. This is both a security issue (path traversal via ..) and a cross-platform compatibility issue (macOS NFD vs Linux NFC, backslashes on Windows).

Specify in proto comments and enforce in code:

UTF-8 encoded
Forward-slash separators only
Relative paths (no leading /)
No .. components
No empty path segments (foo//bar)

Validation should happen in Builder.AddFile and Builder.AddFileWithHash. Invalid paths should return an error.

**Phase 1 item from #10** File paths in the manifest have no documented or enforced invariants. This is both a security issue (path traversal via `..`) and a cross-platform compatibility issue (macOS NFD vs Linux NFC, backslashes on Windows). Specify in proto comments and enforce in code: - UTF-8 encoded - Forward-slash separators only - Relative paths (no leading `/`) - No `..` components - No empty path segments (`foo//bar`) Validation should happen in `Builder.AddFile` and `Builder.AddFileWithHash`. Invalid paths should return an error.

clawbot self-assigned this 2026-02-09 01:05:42 +01:00

clawbot referenced this issue from a commit

2026-02-09 01:12:09 +01:00

Specify and enforce path invariants in Builder

clawbot referenced a pull request that will close this issue

2026-02-09 01:12:16 +01:00

Specify and enforce path invariants (closes #26) #31

sneak closed this issue

2026-02-09 01:45:29 +01:00

sneak referenced this issue from a commit

2026-02-09 01:45:30 +01:00

Specify and enforce path invariants (closes #26) (#31)