fix: harden input validation, path traversal, and sensitive file handling (#230)

* fix(gitlog): validate git references to prevent command injection

* fix(pathutil): resolve symlinks for case-insensitive filesystem safety

* fix(extensionmgr): skip sensitive files during copy and set working directory

Add .env, .secrets, and .key files to skip list during extension copy. Set cmd.Dir to extension directory for script execution.

Author: indaco

internal/extensionmgr/copy.go

@@ -159,14 +159,29 @@ var skipNames = map[string]struct{}{
 	".git":         {},
 	".DS_Store":    {},
 	"node_modules": {},
+	".env":         {},
+	".secrets":     {},
 }
 
+// skipSuffixes defines file suffixes to exclude during directory copying.
+var skipSuffixes = []string{".key"}
+
 // copyDirFn is kept for backward compatibility during migration.
 var copyDirFn = func(src, dst string) error { return defaultFileCopier.CopyDir(src, dst) }
 
 // shouldSkipEntry determines whether a file should be skipped or a directory subtree should be skipped.
 func shouldSkipEntry(info os.FileInfo) (skipFile bool, skipDir bool) {
-	_, skip := skipNames[info.Name()]
+	name := info.Name()
+	_, skip := skipNames[name]
+	if !skip {
+		// Check suffix-based skip patterns (e.g., .key files)
+		for _, suffix := range skipSuffixes {
+			if strings.HasSuffix(name, suffix) {
+				skip = true
+				break
+			}
+		}
+	}
 	if !skip {
 		return false, false
 	}

internal/extensionmgr/copy_test.go

@@ -198,7 +198,9 @@ func TestShouldSkipEntry(t *testing.T) {
 		{"git directory", ".git", true, false, true},
 		{"node_modules directory", "node_modules", true, false, true},
 		{"regular file", "main.go", false, false, false},
-		{"dotfile", ".env", false, false, false},
+		{"env file skipped", ".env", false, true, false},
+		{"secrets file skipped", ".secrets", false, true, false},
+		{"key file skipped", "server.key", false, true, false},
 		{"unknown dir", "config", true, false, false},
 	}
 

internal/extensionmgr/executor.go

@@ -102,8 +102,9 @@ func (e *ScriptExecutor) Execute(ctx context.Context, scriptPath string, input *
 	execCtx, cancel := context.WithTimeout(ctx, e.Timeout)
 	defer cancel()
 
-	// Prepare command
+	// Prepare command with working directory set to the script's directory
 	cmd := exec.CommandContext(execCtx, absPath)
+	cmd.Dir = filepath.Dir(absPath)
 	cmd.Stdin = bytes.NewReader(inputJSON)
 
 	var stdout, stderr bytes.Buffer

internal/pathutil/pathutil.go

@@ -7,6 +7,31 @@ import (
 	"github.com/indaco/sley/internal/apperrors"
 )
 
+// resolveSymlinks attempts to resolve symlinks for both paths.
+// On case-insensitive filesystems (e.g., macOS), /var may be a symlink to /private/var.
+// To avoid false mismatches, both paths are resolved together:
+// if either resolution fails, the originals are returned unchanged.
+func resolveSymlinks(absBase, absPath string) (string, string) {
+	resolvedBase, baseErr := filepath.EvalSymlinks(absBase)
+	if baseErr != nil {
+		return absBase, absPath
+	}
+
+	// Try resolving the full path first
+	if resolvedPath, err := filepath.EvalSymlinks(absPath); err == nil {
+		return resolvedBase, resolvedPath
+	}
+
+	// Path doesn't exist yet; try resolving parent directory and reattach the filename
+	parent := filepath.Dir(absPath)
+	if resolvedParent, err := filepath.EvalSymlinks(parent); err == nil {
+		return resolvedBase, filepath.Join(resolvedParent, filepath.Base(absPath))
+	}
+
+	// Cannot resolve path side — fall back to both unresolved to avoid mismatch
+	return absBase, absPath
+}
+
 // ValidatePath ensures a path is safe and within expected boundaries.
 // It rejects paths with directory traversal attempts and cleans the path.
 func ValidatePath(path string, baseDir string) (string, error) {
@@ -29,6 +54,9 @@ func ValidatePath(path string, baseDir string) (string, error) {
 			return "", &apperrors.PathValidationError{Path: path, Reason: "invalid path"}
 		}
 
+		// Resolve symlinks to normalize paths on case-insensitive filesystems
+		absBase, absPath = resolveSymlinks(absBase, absPath)
+
 		// Check for directory traversal
 		if !strings.HasPrefix(absPath, absBase+string(filepath.Separator)) && absPath != absBase {
 			return "", &apperrors.PathValidationError{Path: path, Reason: "path traversal detected"}
@@ -39,6 +67,7 @@ func ValidatePath(path string, baseDir string) (string, error) {
 }
 
 // IsWithinDir checks if a path is within a given directory.
+// Resolves symlinks to handle case-insensitive filesystems correctly.
 func IsWithinDir(path string, dir string) bool {
 	absPath, err := filepath.Abs(path)
 	if err != nil {
@@ -50,5 +79,8 @@ func IsWithinDir(path string, dir string) bool {
 		return false
 	}
 
+	// Resolve symlinks to normalize paths on case-insensitive filesystems
+	absDir, absPath = resolveSymlinks(absDir, absPath)
+
 	return strings.HasPrefix(absPath, absDir+string(filepath.Separator)) || absPath == absDir
 }

internal/plugins/commitparser/gitlog/gitlog.go

@@ -4,9 +4,28 @@ import (
 	"bytes"
 	"fmt"
 	"os/exec"
+	"regexp"
 	"strings"
 )
 
+// validGitRef matches safe git reference names: alphanumeric, dots, hyphens, slashes, tildes, carets.
+// Rejects shell metacharacters, spaces, and ".." sequences within ref names.
+var validGitRef = regexp.MustCompile(`^[a-zA-Z0-9._/~^@{}\-]+$`)
+
+// validateGitRef checks that a git reference is safe to use in a revision range.
+func validateGitRef(ref string) error {
+	if ref == "" {
+		return fmt.Errorf("git reference cannot be empty")
+	}
+	if strings.Contains(ref, "..") {
+		return fmt.Errorf("git reference %q contains invalid '..' sequence", ref)
+	}
+	if !validGitRef.MatchString(ref) {
+		return fmt.Errorf("git reference %q contains invalid characters", ref)
+	}
+	return nil
+}
+
 var (
 	GetCommitsFn = getCommits
 	execCommand  = exec.Command
@@ -26,6 +45,14 @@ func getCommits(since string, until string) ([]string, error) {
 		}
 	}
 
+	// Validate git references to prevent unexpected behavior
+	if err := validateGitRef(since); err != nil {
+		return nil, fmt.Errorf("invalid 'since' reference: %w", err)
+	}
+	if err := validateGitRef(until); err != nil {
+		return nil, fmt.Errorf("invalid 'until' reference: %w", err)
+	}
+
 	revRange := since + ".." + until
 	cmd := execCommand("git", "log", "--pretty=format:%s", revRange)