Problem
saveArtifactFile(taskId, name, ...) joins user-provided name directly into the artifact path.
Relevant code:
const uri = join(this.stateDir, "artifacts", taskId, name);
Values like ../other/file can escape the intended task artifact directory.
Impact
Path traversal within the state directory, and potentially beyond it depending on normalization and inputs.
Suggested fix
Resolve and validate the final path under the task artifact root, or restrict name to a safe basename/safe relative path segments.
Acceptance criteria
- Attempts to save artifacts with
../ or absolute paths are rejected.
- Tests verify valid nested safe paths still work if supported.
Problem
saveArtifactFile(taskId, name, ...)joins user-providednamedirectly into the artifact path.Relevant code:
src/index.ts:102-108Values like
../other/filecan escape the intended task artifact directory.Impact
Path traversal within the state directory, and potentially beyond it depending on normalization and inputs.
Suggested fix
Resolve and validate the final path under the task artifact root, or restrict
nameto a safe basename/safe relative path segments.Acceptance criteria
../or absolute paths are rejected.