nthfuncx/nanoclaw
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Fix critical skills path-remap root escape (including symlink traversal) (#367)

Browse Source 
* Block skills path-remap escapes outside project root

* Harden path remap against symlink-based root escape

* test: isolate update tests from real git index
This commit is contained in:
Lawyered
2026-02-22 17:10:45 -05:00
committed by GitHub
parent 264f855566
commit 856f98023c
4 changed files with 274 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
skills-engine/__tests__/update.test.ts
View File

@@ -1,23 +1,23 @@
import fs from 'fs';
import path from 'path';
import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
import { afterEach, beforeEach, describe, expect, it } from 'vitest';
import { stringify } from 'yaml';
import { cleanup, createTempDir, initGitRepo, setupNanoclawDir } from './test-helpers.js';
// We need to mock process.cwd() since update.ts uses it
let tmpDir: string;
const originalCwd = process.cwd();
describe('update', () => {
beforeEach(() => {
tmpDir = createTempDir();
setupNanoclawDir(tmpDir);
initGitRepo(tmpDir);
vi.spyOn(process, 'cwd').mockReturnValue(tmpDir);
process.chdir(tmpDir);
});
afterEach(() => {
vi.restoreAllMocks();
process.chdir(originalCwd);
cleanup(tmpDir);
});