harald/zeroclaw
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 3
zeroclaw/src
History
Argenis 031683aae6
fix(security): use path-component matching for forbidden paths (#132) 
- Use Path::components() to check for actual .. path components instead of
  simple string matching (which was too conservative)
- Block URL-encoded traversal attempts (e.g., ..%2f)
- Expand tilde (~) for comparison
- Use path-component-aware matching for forbidden paths
- Update test to allow .. in filenames but block actual path traversal

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-15 08:30:48 -05:00
..
agent fix: use safe Unicode string truncation to prevent panics (CWE-119) 2026-02-15 06:49:48 -05:00
channels fix(imessage): escape newlines in AppleScript string interpolation 2026-02-15 08:00:59 -05:00
config fix: use safe Unicode string truncation to prevent panics (CWE-119) 2026-02-15 06:49:48 -05:00
cron refactor: consolidate CLI command definitions to lib.rs 2026-02-15 06:52:33 -05:00
daemon feat: integrate open-skills library and cleanup clippy warnings 2026-02-14 20:25:07 -05:00
doctor fix: add missing port/host fields to GatewayConfig and apply_env_overrides method 2026-02-14 16:05:13 -05:00
gateway fix(gateway): use constant-time comparison for WhatsApp verify_token 2026-02-15 07:42:52 -05:00
health fix: add missing port/host fields to GatewayConfig and apply_env_overrides method 2026-02-14 16:05:13 -05:00
heartbeat feat: enhance agent personality, tool guidance, and memory hygiene 2026-02-14 11:28:39 -05:00
integrations refactor: consolidate CLI command definitions to lib.rs 2026-02-15 06:52:33 -05:00
memory fix: prevent panics from byte-level string slicing on multi-byte UTF-8 2026-02-15 08:06:04 -05:00
observability fix: resolve all clippy --all-targets warnings across 15 files 2026-02-14 03:52:57 -05:00
onboard fix: use safe Unicode string truncation to prevent panics (CWE-119) 2026-02-15 06:49:48 -05:00
providers fix(providers): warn on shared API key for fallbacks and warm up all providers (#130) 2026-02-15 08:23:50 -05:00
runtime feat: enhance agent personality, tool guidance, and memory hygiene 2026-02-14 11:28:39 -05:00
security fix(security): use path-component matching for forbidden paths (#132) 2026-02-15 08:30:48 -05:00
service refactor: consolidate CLI command definitions to lib.rs 2026-02-15 06:52:33 -05:00
skills fix(skills): prevent path traversal in skill remove command 2026-02-15 08:15:41 -05:00
tools fix(tools): check for symlinks before writing and reorder mkdir (#131) 2026-02-15 08:26:39 -05:00
tunnel fix: resolve all clippy --all-targets warnings across 15 files 2026-02-14 03:52:57 -05:00
lib.rs refactor: consolidate CLI command definitions to lib.rs 2026-02-15 06:52:33 -05:00
main.rs refactor: consolidate CLI command definitions to lib.rs 2026-02-15 06:52:33 -05:00
migration.rs refactor: consolidate CLI command definitions to lib.rs 2026-02-15 06:52:33 -05:00
util.rs fix: correct truncate_with_ellipsis to trim trailing whitespace 2026-02-15 07:06:56 -05:00