secret

sneak/secret

Fork 1

Commit Graph

Author	SHA1	Message	Date
user	8eb25b98fd	fix: block .. path components in secret names and validate in GetSecretObject - isValidSecretName() now rejects names with '..' path components (e.g. foo/../bar) - GetSecretObject() now calls isValidSecretName() before building paths - Added test cases for mid-path traversal patterns	2026-02-15 14:17:33 -08:00
clawbot	3fd30bb9e6	Validate secret name in GetSecretVersion to prevent path traversal Add isValidSecretName() check at the top of GetSecretVersion(), matching the existing validation in AddSecret(). Without this, crafted secret names containing path traversal sequences (e.g. '../../../etc/passwd') could be used to read files outside the vault directory. Add regression tests for both GetSecretVersion and GetSecret. Closes #13	2026-02-15 14:03:28 -08:00

Author

SHA1

Message

Date

user

8eb25b98fd

fix: block .. path components in secret names and validate in GetSecretObject

- isValidSecretName() now rejects names with '..' path components (e.g. foo/../bar)
- GetSecretObject() now calls isValidSecretName() before building paths
- Added test cases for mid-path traversal patterns

2026-02-15 14:17:33 -08:00

clawbot

3fd30bb9e6

Validate secret name in GetSecretVersion to prevent path traversal

Add isValidSecretName() check at the top of GetSecretVersion(), matching
the existing validation in AddSecret(). Without this, crafted secret names
containing path traversal sequences (e.g. '../../../etc/passwd') could be
used to read files outside the vault directory.

Add regression tests for both GetSecretVersion and GetSecret.

Closes #13

2026-02-15 14:03:28 -08:00

2 Commits