fix(engine): re-validate expanded brace patterns against safeGlob#424
Conversation
expandBracePattern() can produce absolute paths that bypass the initial
safeGlob() check (e.g. `{/etc/passwd,foo}` starts with `{` so
isAbsolute() returns false, but expands to `/etc/passwd`). Add safeGlob()
validation on each expanded pattern before passing to Bun.Glob in both
ctx.glob() and ctx.grepFiles().
Follow-up to #422, addressing CodeRabbit review feedback.
Claude-Session: https://claude.ai/code/session_01C3VSm9YHmfhZ9kLw2fkLE4
Signed-off-by: Rhuan Barreto <rhuan@barreto.work>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthrough
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
Deploying archgate-cli with
|
| Latest commit: |
076d519
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://3e8c3157.archgate-cli.pages.dev |
| Branch Preview URL: | https://fix-glob-brace-expansion-saf.archgate-cli.pages.dev |
Code Coverage
Full HTML report available in workflow artifacts. Per-directory breakdown
|
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@tests/engine/runner-security.test.ts`:
- Around line 183-200: Add a new regression test following the same pattern as
the existing "blocks absolute paths produced by brace expansion" test, but for
the grepFiles() method instead of glob(). The test should call ctx.grepFiles
with a regex pattern (like /./), and the same brace expansion string with
absolute path "{/etc/passwd,src/a.ts}". Verify that the result contains the
"access denied" error message, ensuring both the glob() and grepFiles() security
patches are protected against regression.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: 5acc22b9-45d6-43ec-943c-dff96b269800
📒 Files selected for processing (2)
src/engine/runner.tstests/engine/runner-security.test.ts
Covers the grepFiles() path in addition to the existing glob() test, ensuring both entry points re-validate expanded patterns via safeGlob(). Claude-Session: https://claude.ai/code/session_01C3VSm9YHmfhZ9kLw2fkLE4 Signed-off-by: Rhuan Barreto <rhuan@barreto.work>
# archgate ## [0.45.6](v0.45.5...v0.45.6) (2026-06-22) ### Bug Fixes * **engine:** pre-expand brace patterns with path separators in ctx.glob() ([#422](#422)) ([6eade7a](6eade7a)), closes [#421](#421) * **engine:** re-validate expanded brace patterns against safeGlob ([#424](#424)) ([09593e7](09593e7)), closes [#422](#422) --- This PR was generated with [simple-release](https://github.com/TrigenSoftware/simple-release). <details> <summary>📄 Cheatsheet</summary> <br> You can configure the bot's behavior through a pull request comment using the `!simple-release/set-options` command. ### Command Format ````md !simple-release/set-options ```json { "bump": {}, "publish": {} } ``` ```` ### Useful Parameters #### Bump | Parameter | Type | Description | |-----------|------|-------------| | `version` | `string` | Force set specific version | | `as` | `'major' \| 'minor' \| 'patch' \| 'prerelease'` | Release type | | `prerelease` | `string` | Pre-release identifier (e.g., "alpha", "beta") | | `firstRelease` | `boolean` | Whether this is the first release | | `skip` | `boolean` | Skip version bump | | `byProject` | `Record<string, object>` | Per-project bump options for monorepos | #### Publish | Parameter | Type | Description | |-----------|------|-------------| | `skip` | `boolean` | Skip publishing | | `access` | `'public' \| 'restricted'` | Package access level | | `tag` | `string` | Tag for npm publication | ### Usage Examples #### Force specific version ````md !simple-release/set-options ```json { "bump": { "version": "2.0.0" } } ``` ```` #### Force major bump ````md !simple-release/set-options ```json { "bump": { "as": "major" } } ``` ```` #### Create alpha pre-release ````md !simple-release/set-options ```json { "bump": { "prerelease": "alpha" } } ``` ```` #### Publish with specific access and tag ````md !simple-release/set-options ```json { "bump": { "prerelease": "beta" }, "publish": { "access": "public", "tag": "beta" } } ``` ```` ### Access Restrictions The command can only be used by users with permissions: - repository owner - organization member - collaborator ### Notes - The last comment with `!simple-release/set-options` command takes priority - JSON must be valid, otherwise the command will be ignored - Parameters apply only to the current release execution - The command can be updated by editing the comment or adding a new one </details> <!-- Please do not edit this comment. simple-release-pull-request: true simple-release-branch-from: release simple-release-branch-to: main --> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Summary
expandBracePattern()can produce absolute paths that bypass the initialsafeGlob()check (e.g.{/etc/passwd,foo}starts with{soisAbsolute()returns false, but expands to/etc/passwd)safeGlob()validation on each expanded pattern before passing toBun.Globin bothctx.glob()andctx.grepFiles()Follow-up to #422, addressing CodeRabbit review feedback.
Test plan
"blocks absolute paths produced by brace expansion"inrunner-security.test.tsbun run validatepasses (lint, typecheck, format, test, 39/39 ADR rules, knip, build)https://claude.ai/code/session_01C3VSm9YHmfhZ9kLw2fkLE4