Skip to content

Prevent path traversal in attachment downloads #47

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
robzolkos merged 1 commit into from
Jan 24, 2026
Merged

Prevent path traversal in attachment downloads #47

robzolkos merged 1 commit into from
Jan 24, 2026

Conversation

@robzolkos
Copy link
Owner

@robzolkos robzolkos commented Jan 24, 2026

Summary

  • Sanitize attachment filenames using filepath.Base() before writing to disk
  • Prevents potential path traversal attacks where a malicious filename could write outside the current directory

Details

When downloading attachments, the CLI now strips any directory components from filenames. This ensures files are always written to the current directory, regardless of what the server returns.

While Fizzy's API is trusted, this follows defense-in-depth principles - the CLI should never write to arbitrary filesystem locations based on external input.

Test plan

  • Unit tests added covering path traversal attempts (../, absolute paths, nested traversal)
  • Unit tests verify normal filenames are unchanged
  • E2E attachment tests pass (upload, download, show all work correctly)

@robzolkos
fix: prevent path traversal in attachment downloads
53c091b 
Sanitize filename using filepath.Base() to prevent malicious server
responses from writing files to arbitrary locations on the filesystem.

While Fizzy's API is trusted, this follows defense-in-depth principles
by ensuring the CLI never writes outside the current directory regardless
of what filename the server returns.

Adds comprehensive unit tests covering various path traversal attempts.
@robzolkos robzolkos force-pushed the fix-attachment-path-traversal branch from 16b67ec to 53c091b Compare January 24, 2026 20:34
@robzolkos robzolkos changed the title fix: prevent path traversal in attachment downloads Prevent path traversal in attachment downloads Jan 24, 2026
@robzolkos robzolkos merged commit 418b0f6 into master Jan 24, 2026
1 check passed
@robzolkos robzolkos deleted the fix-attachment-path-traversal branch January 24, 2026 20:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@robzolkos