fix: critical git diff arg order, wiki path traversal, schema mismatch

tirth8205 · claude · tirth8205 · commit 6355405eb5e3 · 2026-03-26T18:08:12.000Z
- Fix git diff argument ordering: place base ref BEFORE -- separator,
  not after (-- means "paths follow", so base was treated as a filename)
- Fix path traversal in get_wiki_page() fallback: validate resolved path
  stays within wiki directory using is_relative_to()
- Fix wiki flow query: flow_memberships has no node_qualified_name column,
  JOIN through nodes table to get qualified_name
- Tighten git ref validation from startswith("-") to regex allowlist
- Update VSCode extension SUPPORTED_SCHEMA_VERSION from 1 to 5
- Update SECURITY.md supported versions to 2.0.x

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/SECURITY.md b/SECURITY.md
@@ -4,8 +4,8 @@
 
 | Version | Supported |
 |---------|-----------|
-| 1.8.x   | Yes       |
-| < 1.8   | No        |
+| 2.0.x   | Yes       |
+| < 2.0   | No        |
 
 ## Reporting a Vulnerability
 
diff --git a/code-review-graph-vscode/src/backend/sqlite.ts b/code-review-graph-vscode/src/backend/sqlite.ts
@@ -184,8 +184,8 @@ export class SqliteReader {
           .get() as { value: string } | undefined;
         if (row) {
           const version = parseInt(row.value, 10);
-          // Current supported schema version
-          const SUPPORTED_SCHEMA_VERSION = 1;
+          // Must match LATEST_VERSION in code_review_graph/migrations.py
+          const SUPPORTED_SCHEMA_VERSION = 5;
           if (!isNaN(version) && version > SUPPORTED_SCHEMA_VERSION) {
             return `Database was created with a newer version (schema v${version}). Update the extension.`;
           }
diff --git a/code_review_graph/changes.py b/code_review_graph/changes.py
@@ -19,6 +19,8 @@
 
 _GIT_TIMEOUT = int(os.environ.get("CRG_GIT_TIMEOUT", "30"))  # seconds, configurable
 
+_SAFE_GIT_REF = re.compile(r"^[A-Za-z0-9_.~^/@{}\-]+$")
+
 # Security-sensitive keywords that increase a node's risk score.
 _SECURITY_KEYWORDS: set[str] = {
     "auth", "login", "password", "token", "session", "crypt", "secret",
@@ -47,12 +49,12 @@ def parse_git_diff_ranges(
         Mapping of file paths to lists of ``(start_line, end_line)`` tuples.
         Returns an empty dict on error.
     """
-    if base.startswith("-"):
-        logger.warning("Invalid git ref (starts with '-'): %s", base)
+    if not _SAFE_GIT_REF.match(base):
+        logger.warning("Invalid git ref rejected: %s", base)
         return {}
     try:
         result = subprocess.run(
-            ["git", "diff", "--unified=0", "--", base],
+            ["git", "diff", "--unified=0", base, "--"],
             capture_output=True,
             text=True,
             cwd=repo_root,
diff --git a/code_review_graph/incremental.py b/code_review_graph/incremental.py
@@ -10,6 +10,7 @@
 import hashlib
 import logging
 import os
+import re
 import subprocess
 import time
 from pathlib import Path
@@ -130,15 +131,17 @@ def _is_binary(path: Path) -> bool:
 
 _GIT_TIMEOUT = int(os.environ.get("CRG_GIT_TIMEOUT", "30"))  # seconds, configurable
 
+_SAFE_GIT_REF = re.compile(r"^[A-Za-z0-9_.~^/@{}\-]+$")
+
 
 def get_changed_files(repo_root: Path, base: str = "HEAD~1") -> list[str]:
     """Get list of changed files via git diff."""
-    if base.startswith("-"):
-        logger.warning("Invalid git ref (starts with '-'): %s", base)
+    if not _SAFE_GIT_REF.match(base):
+        logger.warning("Invalid git ref rejected: %s", base)
         return []
     try:
         result = subprocess.run(
-            ["git", "diff", "--name-only", "--", base],
+            ["git", "diff", "--name-only", base, "--"],
             capture_output=True,
             text=True,
             cwd=str(repo_root),
diff --git a/code_review_graph/wiki.py b/code_review_graph/wiki.py
@@ -103,10 +103,11 @@ def _generate_community_page(store: GraphStore, community: dict[str, Any]) -> st
         for flow in all_flows:
             # Check if this flow passes through any community member
             flow_members = store._conn.execute(
-                "SELECT node_qualified_name FROM flow_memberships WHERE flow_id = ?",
+                "SELECT n.qualified_name FROM flow_memberships fm "
+                "JOIN nodes n ON fm.node_id = n.id WHERE fm.flow_id = ?",
                 (flow["id"],),
             ).fetchall()
-            flow_qns = {r["node_qualified_name"] for r in flow_members}
+            flow_qns = {r["qualified_name"] for r in flow_members}
             if flow_qns & member_set:
                 community_flows.append(flow)
 
@@ -273,9 +274,9 @@ def get_wiki_page(wiki_dir: str | Path, page_name: str) -> str | None:
     if filepath.is_file():
         return filepath.read_text(encoding="utf-8")
 
-    # Fallback: try exact filename match
-    exact_path = wiki_path / page_name
-    if exact_path.is_file():
+    # Fallback: try exact filename match — with path traversal protection
+    exact_path = (wiki_path / page_name).resolve()
+    if exact_path.is_file() and exact_path.is_relative_to(wiki_path.resolve()):
         return exact_path.read_text(encoding="utf-8")
 
     # Fallback: search for partial match
