fix: security, correctness, and test hardening from review
- routes.py: reject glob wildcards (* ? [ ]) in skill name param to prevent rglob wildcard injection when serving linked files - panels.js: replace inline onclick+esc() with data-* attributes and addEventListener for skill tag removal and linked-file clicks; esc() is HTML-safe but not JS-safe -- apostrophes in names caused JS syntax errors and _cronSelectedSkills array corruption - ui.js: fix _fmtTokens(null/undefined) returning 'null'/'undefined' by guarding with (!n||n<0) -> '0'; add data-role attribute to msg-row elements so usage badge correctly targets the last assistant row instead of the last row regardless of speaker - tests: rename test_sprint24.py -> test_sprint23.py (wrong sprint #); add 3 new tests: path traversal rejection, wildcard name rejection, cron create with skills; strengthen existing tests to assert field presence explicitly (was using .get(field, 0)==0 which never caught a missing field)
This commit is contained in:
Nathan Esquenazi
@@ -230,6 +230,9 @@ def handle_get(handler, parsed):
|
||||
file_path = qs.get('file', [''])[0]
|
||||
if file_path:
|
||||
# Serve a linked file from the skill directory
|
||||
import re as _re
|
||||
if _re.search(r'[*?\[\]]', name):
|
||||
return bad(handler, 'Invalid skill name', 400)
|
||||
skill_dir = None
|
||||
for p in SKILLS_DIR.rglob(name):
|
||||
if p.is_dir(): skill_dir = p; break
|
||||
|
||||
Reference in New Issue
Block a user