Reject path traversal

michaelroudnitski · michaelroudnitski · commit 8d23cbe5e78d · 2025-11-03T14:16:57.000-05:00
diff --git a/src/lib/profile/storage.ts b/src/lib/profile/storage.ts
@@ -17,6 +17,11 @@ export function ensureProfilesDir(): void {
 }
 
 export function getProfilePath(name: string): string {
+  // Reject path traversal attempts, empty names, or names with path separators
+  if (!name || name.includes('/') || name.includes('\\') || name.includes('..')) {
+    throw new Error(`Invalid profile name: "${name}". Profile names cannot contain path separators or parent directory references.`)
+  }
+
   return join(getProfilesDir(), `${name}.json`)
 }
 
diff --git a/test/commands/profiles/storage.test.ts b/test/commands/profiles/storage.test.ts
@@ -222,4 +222,38 @@ describe('profile storage', () => {
       expect(profileExists('nonexistent')).toBe(false)
     })
   })
+
+  describe('getProfilePath', () => {
+    it('accepts valid profile names', () => {
+      expect(() => getProfilePath('valid-profile')).not.toThrow()
+      expect(() => getProfilePath('profile_123')).not.toThrow()
+      expect(() => getProfilePath('MyProfile')).not.toThrow()
+    })
+
+    it('rejects empty profile names', () => {
+      expect(() => getProfilePath('')).toThrow('Invalid profile name')
+    })
+
+    it('rejects profile names with forward slashes', () => {
+      expect(() => getProfilePath('foo/bar')).toThrow('Invalid profile name')
+      expect(() => getProfilePath('/etc/passwd')).toThrow('Invalid profile name')
+    })
+
+    it('rejects profile names with backslashes', () => {
+      expect(() => getProfilePath(String.raw`foo\bar`)).toThrow('Invalid profile name')
+      expect(() => getProfilePath(String.raw`C:\Windows\System32`)).toThrow('Invalid profile name')
+    })
+
+    it('rejects profile names with parent directory references', () => {
+      expect(() => getProfilePath('..')).toThrow('Invalid profile name')
+      expect(() => getProfilePath('../../etc/passwd')).toThrow('Invalid profile name')
+      expect(() => getProfilePath('foo..bar')).toThrow('Invalid profile name')
+    })
+
+    it('rejects path traversal attempts', () => {
+      expect(() => getProfilePath('../../../../some-place-you-should-not-have-access-to')).toThrow(
+        'Invalid profile name',
+      )
+    })
+  })
 })

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,11 @@ export function ensureProfilesDir(): void {`
`17`	`17`	`}`
`18`	`18`
`19`	`19`	`export function getProfilePath(name: string): string {`
	`20`	`+ // Reject path traversal attempts, empty names, or names with path separators`
	`21`	`+ if (!name \|\| name.includes('/') \|\| name.includes('\\') \|\| name.includes('..')) {`
	`22`	+ throw new Error(`Invalid profile name: "${name}". Profile names cannot contain path separators or parent directory references.`)
	`23`	`+ }`
	`24`	`+`
`20`	`25`	return join(getProfilesDir(), `${name}.json`)
`21`	`26`	`}`
`22`	`27`