Prevent path traversal in --coverage-dir argument (#78)

bartveneman · claude · web-flow · commit 4dd069400d04 · 2026-03-12T15:01:14.000+01:00
* Fix path traversal vulnerability in --coverage-dir option Resolve the provided path to an absolute path and verify it stays within process.cwd(), rejecting any value that would escape the current working directory via ../ sequences. https://claude.ai/code/session_01SoGLdxJCSsRPACjf6uLuyR * rebase + format --------- Co-authored-by: Claude <noreply@anthropic.com>
diff --git a/src/cli/arguments.test.ts b/src/cli/arguments.test.ts
@@ -1,4 +1,5 @@
 import { test, expect } from '@playwright/test'
+import { resolve } from 'node:path'
 import { parse_arguments, validate_arguments } from './arguments'
 
 test.describe('--coverage-dir', () => {
@@ -12,9 +13,21 @@ test.describe('--coverage-dir', () => {
 		expect(() => validate_arguments(parse_arguments([cov, '--coverage-dir']))).toThrowError()
 	})
 
-	test('valid --coverage-dir=path/to/coverage', () => {
-		let result = validate_arguments(parse_arguments([cov, '--coverage-dir=/path/to/coverage']))
-		expect(result['coverage-dir']).toEqual('/path/to/coverage')
+	test('valid --coverage-dir=coverage', () => {
+		let result = validate_arguments(parse_arguments([cov, '--coverage-dir=coverage']))
+		expect(result['coverage-dir']).toEqual(resolve('coverage'))
+	})
+
+	test('path traversal --coverage-dir=../../etc', () => {
+		expect(() =>
+			validate_arguments(parse_arguments([cov, '--coverage-dir=../../etc'])),
+		).toThrowError()
+	})
+
+	test('path traversal --coverage-dir=../sibling', () => {
+		expect(() =>
+			validate_arguments(parse_arguments([cov, '--coverage-dir=../sibling'])),
+		).toThrowError()
 	})
 })
 
diff --git a/src/cli/arguments.ts b/src/cli/arguments.ts
@@ -1,4 +1,5 @@
 import { parseArgs } from 'node:util'
+import { resolve, sep } from 'node:path'
 import * as v from 'valibot'
 
 const show_uncovered_options = {
@@ -13,7 +14,15 @@ const reporters = {
 	json: 'json',
 } as const
 
-let CoverageDirSchema = v.pipe(v.string(), v.nonEmpty())
+let CoverageDirSchema = v.pipe(
+	v.string(),
+	v.nonEmpty(),
+	v.transform((value) => resolve(value)),
+	v.check((value) => {
+		let cwd = process.cwd()
+		return value === cwd || value.startsWith(cwd + sep)
+	}, 'InvalidPath'),
+)
 // Coerce args string to number and validate that it's between 0 and 1
 let RatioPercentageSchema = v.pipe(
 	v.string(),
