fix(targets): sanitize artifact path stems to prevent outDir traversal (#548 #550 #552)

[Nexu0ps]

Summary

Fixes path traversal vulnerability in three target adapters where unsanitized config values were interpolated directly into artifact file paths.

Changes

Target	Config field	Fix
chat-telegram	botUsername	safeFileStem(botUsername) in artifact path
mobile-android	packageName	safeFileStem(packageName) in artifact path
browser-edge	productId	safeFileStem(productId) in packageArtifact()

Each adapter uses the same safeFileStem pattern as browser-firefox — strip non-alphanumeric chars for the filename while preserving original values for API/log use.

Closes #548, #550, #552

[greptile-apps]

Greptile Summary

This PR sanitizes user-controlled config values interpolated into artifact file paths across three target adapters (browser-edge, chat-telegram, mobile-android) using a safeFileStem helper, and partially attempts the same for three package-manager targets. The three adapter fixes are correct, but the changes to pkg-flatpak, pkg-snap, and pkg-winget all suffer from incomplete edits that leave orphaned function-body code at module scope, causing TypeScript compilation failures.

• Correct fixes: safeFileStem is properly introduced and applied in browser-edge, chat-telegram, and mobile-android; original values are preserved for API/log use.
• Broken edits: In pkg-flatpak, pkg-snap, and pkg-winget, the original validator function headers were partially removed but their bodies were left behind at module scope, referencing names that no longer exist there — each file will fail to compile.
• Net state: Three targets are hardened against path traversal; three targets are currently uncompilable and must be fixed before merging.

Confidence Score: 1/5

Not safe to merge: three of the six changed files will not compile, breaking every build that uses pkg-flatpak, pkg-snap, or pkg-winget.

The changes to pkg-flatpak, pkg-snap, and pkg-winget each removed a function declaration while leaving the function body at module scope. Those orphaned blocks reference variables that have no binding outside a function, so the TypeScript compiler rejects all three files with 'Cannot find name' and unexpected-token errors. No build using any of those three targets can succeed until the orphaned code is removed. The three adapter fixes (browser-edge, chat-telegram, mobile-android) are clean and would be safe on their own.

packages/targets/pkg-winget/src/index.ts, packages/targets/pkg-flatpak/src/index.ts, and packages/targets/pkg-snap/src/index.ts all have orphaned code at module scope that prevents compilation.

Important Files Changed

Filename	Overview
packages/targets/browser-edge/src/index.ts	Correctly adds safeFileStem and applies it in packageArtifact; previous syntax-error concern is resolved in the current state.
packages/targets/chat-telegram/src/index.ts	Adds safeFileStem and applies it to botUsername in the artifact path; original username value still used correctly for API/log calls.
packages/targets/mobile-android/src/index.ts	Adds safeFileStem and applies it to packageName in the artifact path; fix mirrors the other adapters correctly.
packages/targets/pkg-flatpak/src/index.ts	Partial removal of the original validateAppId left an orphaned block at module scope (lines 36–50); a second, complete validateAppId at line 108 is intact but the file will not compile as-is.
packages/targets/pkg-snap/src/index.ts	Partial removal of the original validateSnapName left orphaned code at module scope (lines 41–50) referencing undefined snapName; compilation will fail.
packages/targets/pkg-winget/src/index.ts	Partial removal of original validatePackageId header left an orphaned block at module scope (lines 32–44) referencing undefined packageId; TypeScript compilation will fail, breaking all winget builds.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Config value\ne.g. productId / botUsername / packageName] --> B{safeFileStem applied?}
    B -- "Yes (browser-edge,\nchat-telegram,\nmobile-android)" --> C[Strip non-alphanumeric chars\nreplace with '-']
    C --> D[Trim leading/trailing hyphens]
    D --> E[Fallback to default stem\nif result is empty]
    E --> F[Safe artifact path via path.join]
    B -- "No — compile error\n(pkg-flatpak, pkg-snap,\npkg-winget)" --> G[Orphaned validator body\nat module scope]
    G --> H[TypeScript: Cannot find name\nUnexpected token]
    H --> I[Build fails — target unusable]

Loading

Comments Outside Diff (1)

1. packages/targets/pkg-winget/src/index.ts, line 32-44 (link)

   Orphaned function body causes compilation failure

   The patch removed the validatePackageId function declaration and its first two guard checks (!packageId and startsWith('.')) but left the rest of the function body at module scope. Lines 32–44 reference packageId, which has no binding at module level, so TypeScript rejects the file with Cannot find name 'packageId'. The lone } at line 44 is also an unexpected token at module scope. Every build that targets pkg-winget will fail to compile until this orphaned block is deleted and the still-complete second validatePackageId (at line 125) is kept as the sole definition.

_{Reviews (3): Last reviewed commit: "fix: remove duplicate validatePackageId ..." | Re-trigger Greptile}