Igor Lins e Silva 50239d4b49 fix: sanitize SESSION_ID in save hook to prevent path traversal ...

The save hook uses SESSION_ID in file paths (state_dir/).
A crafted session_id value like '../../etc/cron.d/evil' could write
state files outside the intended directory.

Strip everything except [a-zA-Z0-9_-] from SESSION_ID, defaulting
to 'unknown' if empty after sanitization.

Finding: #4 (HIGH — path traversal via SESSION_ID)

Includes test infrastructure from PR #131.
92 tests pass.

2026-04-07 18:53:31 -03:00

..

conftest.py

fix: CI failures — update workflow for uv migration, fix lint and format

2026-04-07 17:59:21 -03:00

test_config.py

bench: add benchmark runners, results docs, and test suite

2026-04-04 18:33:42 -07:00

test_convo_miner.py

bench: add benchmark runners, results docs, and test suite

2026-04-04 18:33:42 -07:00

test_dialect.py

fix: sanitize SESSION_ID in save hook to prevent path traversal

2026-04-07 18:53:31 -03:00

test_knowledge_graph.py

fix: CI failures — update workflow for uv migration, fix lint and format

2026-04-07 17:59:21 -03:00

test_mcp_server.py

fix: CI failures — update workflow for uv migration, fix lint and format

2026-04-07 17:59:21 -03:00

test_miner.py

fix: support nested .gitignore rules during mining

2026-04-08 00:02:21 +08:00

test_normalize.py

bench: add benchmark runners, results docs, and test suite

2026-04-04 18:33:42 -07:00

test_searcher.py

fix: CI failures — update workflow for uv migration, fix lint and format

2026-04-07 17:59:21 -03:00

test_split_mega_files.py

refactor: consolidate split known-names config loading

2026-04-07 09:16:07 +01:00

test_version_consistency.py

fix: unify package and MCP version reporting

2026-04-07 08:53:25 +01:00