fix: added forgotten skill name validation to has_skill to prevent side-channel attacks
This commit is contained in:
@@ -281,6 +281,10 @@ pub fn list_skills() -> Vec<String> {
|
|||||||
}
|
}
|
||||||
|
|
||||||
pub fn has_skill(name: &str) -> bool {
|
pub fn has_skill(name: &str) -> bool {
|
||||||
|
if validate_skill_name(name).is_err() {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
skill_file(name).is_file()
|
skill_file(name).is_file()
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -337,4 +341,14 @@ mod tests {
|
|||||||
);
|
);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn has_skill_returns_false_for_invalid_names() {
|
||||||
|
for bad in ["", "../escape", "foo/bar", ".hidden", "with space"] {
|
||||||
|
assert!(
|
||||||
|
!has_skill(bad),
|
||||||
|
"has_skill({bad:?}) should be false for an invalid name"
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user