From 8eb25b98fd3f213c3539856414f885d76a9d03b1 Mon Sep 17 00:00:00 2001
From: user <user@inference.local>
Date: Sun, 15 Feb 2026 14:17:33 -0800
Subject: [PATCH] fix: block .. path components in secret names and validate in
 GetSecretObject

- isValidSecretName() now rejects names with '..' path components (e.g. foo/../bar)
- GetSecretObject() now calls isValidSecretName() before building paths
- Added test cases for mid-path traversal patterns
---
 internal/vault/path_traversal_test.go | 30 +++++++++++++++++++++++++++
 internal/vault/secrets.go             | 11 ++++++++++
 2 files changed, 41 insertions(+)

diff --git a/internal/vault/path_traversal_test.go b/internal/vault/path_traversal_test.go
index 499ba31..f244fe1 100644
--- a/internal/vault/path_traversal_test.go
+++ b/internal/vault/path_traversal_test.go
@@ -35,6 +35,8 @@ func TestGetSecretVersionRejectsPathTraversal(t *testing.T) {
 		"..%2f..%2fetc/passwd",
 		".secret",
 		"../sibling-vault/secrets.d/target",
+		"foo/../bar",
+		"a/../../etc/passwd",
 	}
 
 	for _, name := range maliciousNames {
@@ -64,3 +66,31 @@ func TestGetSecretRejectsPathTraversal(t *testing.T) {
 	assert.Error(t, err)
 	assert.Contains(t, err.Error(), "invalid secret name")
 }
+
+// TestGetSecretObjectRejectsPathTraversal verifies GetSecretObject
+// also validates names and rejects path traversal attempts.
+func TestGetSecretObjectRejectsPathTraversal(t *testing.T) {
+	testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
+	t.Setenv(secret.EnvMnemonic, testMnemonic)
+	t.Setenv(secret.EnvUnlockPassphrase, "test-passphrase")
+
+	fs := afero.NewMemMapFs()
+	stateDir := "/test/state"
+
+	vlt, err := CreateVault(fs, stateDir, "test-vault")
+	require.NoError(t, err)
+
+	maliciousNames := []string{
+		"../../../etc/passwd",
+		"foo/../bar",
+		"a/../../etc/passwd",
+	}
+
+	for _, name := range maliciousNames {
+		t.Run(name, func(t *testing.T) {
+			_, err := vlt.GetSecretObject(name)
+			assert.Error(t, err, "GetSecretObject should reject: %s", name)
+			assert.Contains(t, err.Error(), "invalid secret name")
+		})
+	}
+}
diff --git a/internal/vault/secrets.go b/internal/vault/secrets.go
index a7b3387..47b5b76 100644
--- a/internal/vault/secrets.go
+++ b/internal/vault/secrets.go
@@ -92,6 +92,13 @@ func isValidSecretName(name string) bool {
 		return false
 	}
 
+	// Check for path traversal via ".." components
+	for _, part := range strings.Split(name, "/") {
+		if part == ".." {
+			return false
+		}
+	}
+
 	// Check the basic pattern
 	matched, _ := regexp.MatchString(`^[a-z0-9\.\-\_\/]+$`, name)
 
@@ -460,6 +467,10 @@ func (v *Vault) UnlockVault() (*age.X25519Identity, error) {
 
 // GetSecretObject retrieves a Secret object with metadata loaded from this vault
 func (v *Vault) GetSecretObject(name string) (*secret.Secret, error) {
+	if !isValidSecretName(name) {
+		return nil, fmt.Errorf("invalid secret name: %s", name)
+	}
+
 	// First check if the secret exists by checking for the metadata file
 	vaultDir, err := v.GetDirectory()
 	if err != nil {