From fe875258c9ce430f3a95fa4e54846fd88bf1cfce Mon Sep 17 00:00:00 2001 From: Alex Clarke Date: Wed, 3 Jun 2026 15:21:16 -0600 Subject: [PATCH] fix: added forgotten skill name validation to has_skill to prevent side-channel attacks --- src/config/paths.rs | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/config/paths.rs b/src/config/paths.rs index d84a663..b1651a7 100644 --- a/src/config/paths.rs +++ b/src/config/paths.rs @@ -281,6 +281,10 @@ pub fn list_skills() -> Vec { } pub fn has_skill(name: &str) -> bool { + if validate_skill_name(name).is_err() { + return false; + } + skill_file(name).is_file() } @@ -337,4 +341,14 @@ mod tests { ); } } + + #[test] + fn has_skill_returns_false_for_invalid_names() { + for bad in ["", "../escape", "foo/bar", ".hidden", "with space"] { + assert!( + !has_skill(bad), + "has_skill({bad:?}) should be false for an invalid name" + ); + } + } }