mirror of
https://github.com/github/spec-kit.git
synced 2026-07-03 12:28:06 +08:00
Fix path traversal risk in extension URL download filename; fix redundant except clause
Agent-Logs-Url: https://github.com/github/spec-kit/sessions/0c7ae935-443c-4e90-ba92-7c3234a46673 Co-authored-by: mnriem <15701806+mnriem@users.noreply.github.com>
This commit is contained in:
committed by
GitHub
parent
0fd0bf6b9f
commit
cb87a410f8
@@ -3663,7 +3663,8 @@ def extension_add(
|
||||
raise typer.Exit(1)
|
||||
|
||||
suffix = ".tar.gz" if archive_fmt == "tar.gz" else ".zip"
|
||||
archive_path = download_dir / f"{extension}-url-download{suffix}"
|
||||
safe_name = Path(extension).name or "extension"
|
||||
archive_path = download_dir / f"{safe_name}-url-download{suffix}"
|
||||
archive_path.write_bytes(archive_data)
|
||||
|
||||
# Install from downloaded archive
|
||||
@@ -5120,7 +5121,7 @@ def workflow_add(
|
||||
local_fmt = _detect_archive_format(source)
|
||||
try:
|
||||
wf_yaml = _extract_workflow_yml(source_path, local_fmt)
|
||||
except (ValueError, Exception) as exc:
|
||||
except Exception as exc:
|
||||
console.print(f"[red]Error:[/red] Failed to extract workflow from archive: {exc}")
|
||||
raise typer.Exit(1)
|
||||
import tempfile
|
||||
|
||||
Reference in New Issue
Block a user