fix(github-dev-assistant): reject path traversal in repo path parameters

[konard]

Summary

Fixes #115 — path traversal vulnerability in github_get_file (and related tools) where a caller could supply a path like ../.github/workflows/deploy.yml and the GitHub API would resolve the .. segments, potentially exposing files outside the intended scope.

Root cause

Six tools in repo-ops.js and file-ops.js interpolated the path parameter directly into the GitHub API URL without validating it:

• github_get_file
• github_update_file
• github_delete_file
• github_list_directory
• github_list_files
• github_download_file

While encodeURIComponent was used on owner and repo, path was passed raw, allowing .. segments to be sent to the API.

Fix

Added a validateRepoPath(path) helper to utils.js that:

1. Rejects paths starting with / (repo paths are always relative)
2. Splits on / and \ and rejects any segment equal to ..

Each of the six affected tools now calls validateRepoPath immediately after validateRequired, returning { success: false, error: "..." } before any API call is made.

Tests

Added plugins/github-dev-assistant/tests/repo-ops.test.js with 20 unit tests covering:

• .. alone, ../etc/passwd, src/../../etc/passwd
• Backslash traversal src\..\..\etc\passwd
• Absolute paths /src/index.js, /
• Non-string inputs (number, null)
• Valid paths: src/index.js, .github/workflows/ci.yml, README.md, empty string

All 232 existing and new tests pass.

Test plan

• npm test passes (232 pass, 0 fail)
• validateRepoPath unit tests cover traversal attacks, absolute paths, edge cases, and valid paths
• Affected tools validated: github_get_file, github_update_file, github_delete_file, github_list_directory, github_list_files, github_download_file

🤖 Generated with Claude Code

[konard]

🤖 Solution Draft Log

This log file contains the complete execution trace of the AI solution draft process.

💰 Cost estimation:

• Public pricing estimate: $0.977176
• Calculated by Anthropic: $0.977176 USD
• Difference: $-0.000000 (-0.00%)

📊 Context and tokens usage:

• Context window: 61.1K / 1M input tokens (6%), 12.1K / 64K output tokens (19%)

Total: 52.4K + 2.0M cached input tokens, 12.1K output tokens, $0.977176 cost

🤖 Models used:

• Tool: Anthropic Claude Code
• Requested: sonnet
• Model: Claude Sonnet 4.6 (claude-sonnet-4-6)

📎 Log file uploaded as Gist (924KB)

• View complete solution draft log

---

Now working session is ended, feel free to review and add any feedback on the solution draft.

[konard]

✅ Ready to merge

This pull request is now ready to be merged:

• All CI checks have passed
• No merge conflicts
• No pending changes

---

Monitored by hive-mind with --auto-restart-until-mergeable flag