fix: added forgotten skill name validation to has_skill to prevent side-channel attacks

This commit is contained in:
2026-06-03 15:21:16 -06:00
parent b218d8e193
commit fe875258c9
+14
View File
@@ -281,6 +281,10 @@ pub fn list_skills() -> Vec<String> {
}
pub fn has_skill(name: &str) -> bool {
if validate_skill_name(name).is_err() {
return false;
}
skill_file(name).is_file()
}
@@ -337,4 +341,14 @@ mod tests {
);
}
}
#[test]
fn has_skill_returns_false_for_invalid_names() {
for bad in ["", "../escape", "foo/bar", ".hidden", "with space"] {
assert!(
!has_skill(bad),
"has_skill({bad:?}) should be false for an invalid name"
);
}
}
}