Skip to content

security: sanitize user input in temp directory names #411

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
its-me-abhishek merged 1 commit into from
Jan 19, 2026
Merged

security: sanitize user input in temp directory names #411

its-me-abhishek merged 1 commit into from
Jan 19, 2026

Conversation

@cfsmp3
Copy link
Collaborator

@cfsmp3 cfsmp3 commented Jan 19, 2026

Summary

  • Replace direct use of email in temp directory names with a SHA256 hash
  • Prevent directory traversal attacks from malicious email values

Security Issue Addressed

Directory Traversal Risk (Medium) - Previously, user email was used directly in temporary directory names via os.MkdirTemp("", "taskwarrior-"+email). If the email contained path separators or special characters, it could potentially cause path-related issues.

Changes

  • backend/utils/sanitize.go: New file with SafeTempDirPrefix() function

    • Takes a prefix and user identifier
    • Returns prefix + 8-character SHA256 hash of the identifier
    • Provides unique prefixes per user without exposing user data

  • Updated files to use SafeTempDirPrefix:

    • backend/utils/tw/add_task.go
    • backend/utils/tw/complete_task.go
    • backend/utils/tw/complete_tasks.go
    • backend/utils/tw/delete_task.go
    • backend/utils/tw/delete_tasks.go
    • backend/utils/tw/edit_task.go
    • backend/utils/tw/fetch_tasks.go
    • backend/utils/tw/modify_task.go

Test plan

  • Verify task operations work correctly
  • Verify temp directories are created with hashed names
  • Verify temp directories are cleaned up after operations

🤖 Generated with Claude Code

@cfsmp3 @claude
security: sanitize user input in temp directory names
eb26f61 
Replace direct use of email in temp directory names with a SHA256 hash
to prevent directory traversal attacks.

- Add utils/sanitize.go with SafeTempDirPrefix() function
- Use 8-character hash of email instead of raw email
- Update all tw/*.go files to use SafeTempDirPrefix

This prevents potential path traversal if user-controlled email
contains special characters like path separators.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@github-actions
Copy link

github-actions bot commented Jan 19, 2026

Thank you for opening this PR!

Before a maintainer takes a look, it would be really helpful if you could walk through your changes using GitHub's review tools.

Please take a moment to:

  • Check the "Files changed" tab
  • Leave comments on any lines for functions, comments, etc. that are important, non-obvious, or may need attention
  • Clarify decisions you made or areas you might be unsure about and/or any future updates being considered.
  • Finally, submit all the comments!

More information on how to conduct a self review:
https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request

This helps make the review process smoother and gives us a clearer understanding of your thought process.

Once you've added your self-review, we'll continue from our side. Thank you!

@its-me-abhishek its-me-abhishek merged commit 08d3d28 into main Jan 19, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@its-me-abhishek its-me-abhishek its-me-abhishek approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cfsmp3 @its-me-abhishek