fix: added forgotten skill name validation to has_skill to prevent side-channel attacks
This commit is contained in:
@@ -281,6 +281,10 @@ pub fn list_skills() -> Vec<String> {
|
||||
}
|
||||
|
||||
pub fn has_skill(name: &str) -> bool {
|
||||
if validate_skill_name(name).is_err() {
|
||||
return false;
|
||||
}
|
||||
|
||||
skill_file(name).is_file()
|
||||
}
|
||||
|
||||
@@ -337,4 +341,14 @@ mod tests {
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn has_skill_returns_false_for_invalid_names() {
|
||||
for bad in ["", "../escape", "foo/bar", ".hidden", "with space"] {
|
||||
assert!(
|
||||
!has_skill(bad),
|
||||
"has_skill({bad:?}) should be false for an invalid name"
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user