fix: block .. path components in secret names and validate in GetSecretObject

- isValidSecretName() now rejects names with '..' path components (e.g. foo/../bar) - GetSecretObject() now calls isValidSecretName() before building paths - Added test cases for mid-path traversal patterns
2026-02-15 14:17:33 -08:00
parent 3fd30bb9e6
commit 8eb25b98fd
2 changed files with 41 additions and 0 deletions
--- a/internal/vault/secrets.go
+++ b/internal/vault/secrets.go
@@ -92,6 +92,13 @@ func isValidSecretName(name string) bool {
 		return false
 	}

+	// Check for path traversal via ".." components
+	for _, part := range strings.Split(name, "/") {
+		if part == ".." {
+			return false
+		}
+	}
+
 	// Check the basic pattern
 	matched, _ := regexp.MatchString(`^[a-z0-9\.\-\_\/]+$`, name)

@@ -460,6 +467,10 @@ func (v *Vault) UnlockVault() (*age.X25519Identity, error) {

 // GetSecretObject retrieves a Secret object with metadata loaded from this vault
 func (v *Vault) GetSecretObject(name string) (*secret.Secret, error) {
+	if !isValidSecretName(name) {
+		return nil, fmt.Errorf("invalid secret name: %s", name)
+	}
+
 	// First check if the secret exists by checking for the metadata file
 	vaultDir, err := v.GetDirectory()
 	if err != nil {