Skip to content

[security-fix] Fix path traversal vulnerability in ParseWorkflowFile (Alert #419) #7876

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pelikhan merged 1 commit into from
Dec 27, 2025
Merged

[security-fix] Fix path traversal vulnerability in ParseWorkflowFile (Alert #419) #7876

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 14 additions & 10 deletions pkg/workflow/compiler_orchestrator.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,12 @@ var detectionLog = logger.New("workflow:detection")
func (c *Compiler) ParseWorkflowFile(markdownPath string) (*WorkflowData, error) {
log.Printf("Reading file: %s", markdownPath)

// Clean the path to prevent path traversal issues (gosec G304)
// filepath.Clean removes ".." and other problematic path elements
cleanPath := filepath.Clean(markdownPath)

// Read the file
content, err := os.ReadFile(markdownPath)
content, err := os.ReadFile(cleanPath)
if err != nil {
return nil, fmt.Errorf("failed to read file: %w", err)
}
Expand All @@ -34,7 +38,7 @@ func (c *Compiler) ParseWorkflowFile(markdownPath string) (*WorkflowData, error)
if result != nil && result.FrontmatterStart > 0 {
frontmatterStart = result.FrontmatterStart
}
return nil, c.createFrontmatterError(markdownPath, string(content), err, frontmatterStart)
return nil, c.createFrontmatterError(cleanPath, string(content), err, frontmatterStart)
}

if len(result.Frontmatter) == 0 {
Expand All @@ -46,7 +50,7 @@ func (c *Compiler) ParseWorkflowFile(markdownPath string) (*WorkflowData, error)
}

// Preprocess schedule fields to convert human-friendly format to cron expressions
if err := c.preprocessScheduleFields(result.Frontmatter, markdownPath, string(content)); err != nil {
if err := c.preprocessScheduleFields(result.Frontmatter, cleanPath, string(content)); err != nil {
return nil, err
}

Expand All @@ -55,7 +59,7 @@ func (c *Compiler) ParseWorkflowFile(markdownPath string) (*WorkflowData, error)
frontmatterForValidation := c.copyFrontmatterWithoutInternalMarkers(result.Frontmatter)

// Validate main workflow frontmatter contains only expected entries
if err := parser.ValidateMainWorkflowFrontmatterWithSchemaAndLocation(frontmatterForValidation, markdownPath); err != nil {
if err := parser.ValidateMainWorkflowFrontmatterWithSchemaAndLocation(frontmatterForValidation, cleanPath); err != nil {
return nil, err
}

Expand All @@ -66,7 +70,7 @@ func (c *Compiler) ParseWorkflowFile(markdownPath string) (*WorkflowData, error)

log.Printf("Frontmatter: %d chars, Markdown: %d chars", len(result.Frontmatter), len(result.Markdown))

markdownDir := filepath.Dir(markdownPath)
markdownDir := filepath.Dir(cleanPath)

// Extract AI engine setting from frontmatter
engineSetting, engineConfig := c.ExtractEngineConfig(result.Frontmatter)
Expand Down Expand Up @@ -132,7 +136,7 @@ func (c *Compiler) ParseWorkflowFile(markdownPath string) (*WorkflowData, error)
// Process imports from frontmatter first (before @include directives)
importCache := c.getSharedImportCache()
// Pass the full file content for accurate line/column error reporting
importsResult, err := parser.ProcessImportsFromFrontmatterWithSource(result.Frontmatter, markdownDir, importCache, markdownPath, string(content))
importsResult, err := parser.ProcessImportsFromFrontmatterWithSource(result.Frontmatter, markdownDir, importCache, cleanPath, string(content))
if err != nil {
return nil, err // Error is already formatted with source location
}
Expand Down Expand Up @@ -397,7 +401,7 @@ func (c *Compiler) ParseWorkflowFile(markdownPath string) (*WorkflowData, error)
sort.Strings(allIncludedFiles)

// Extract workflow name
workflowName, err := parser.ExtractWorkflowNameFromMarkdown(markdownPath)
workflowName, err := parser.ExtractWorkflowNameFromMarkdown(cleanPath)
if err != nil {
return nil, fmt.Errorf("failed to extract workflow name: %w", err)
}
Expand Down Expand Up @@ -624,7 +628,7 @@ func (c *Compiler) ParseWorkflowFile(markdownPath string) (*WorkflowData, error)
workflowData.RepoMemoryConfig = repoMemoryConfig

// Process stop-after configuration from the on: section
err = c.processStopAfterConfiguration(result.Frontmatter, workflowData, markdownPath)
err = c.processStopAfterConfiguration(result.Frontmatter, workflowData, cleanPath)
if err != nil {
return nil, err
}
Expand Down Expand Up @@ -710,13 +714,13 @@ func (c *Compiler) ParseWorkflowFile(markdownPath string) (*WorkflowData, error)
workflowData.SafeOutputs = mergedSafeOutputs

// Parse the "on" section for command triggers, reactions, and other events
err = c.parseOnSection(result.Frontmatter, workflowData, markdownPath)
err = c.parseOnSection(result.Frontmatter, workflowData, cleanPath)
if err != nil {
return nil, err
}

// Apply defaults
c.applyDefaults(workflowData, markdownPath)
c.applyDefaults(workflowData, cleanPath)

// Apply pull request draft filter if specified
c.applyPullRequestDraftFilter(workflowData, result.Frontmatter)
Expand Down