From cb87a410f800d2385b226ce4d72b426f43981801 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 6 May 2026 19:51:00 +0000 Subject: [PATCH] Fix path traversal risk in extension URL download filename; fix redundant except clause Agent-Logs-Url: https://github.com/github/spec-kit/sessions/0c7ae935-443c-4e90-ba92-7c3234a46673 Co-authored-by: mnriem <15701806+mnriem@users.noreply.github.com> --- src/specify_cli/__init__.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/specify_cli/__init__.py b/src/specify_cli/__init__.py index 54f6661a6..8d1e97215 100644 --- a/src/specify_cli/__init__.py +++ b/src/specify_cli/__init__.py @@ -3663,7 +3663,8 @@ def extension_add( raise typer.Exit(1) suffix = ".tar.gz" if archive_fmt == "tar.gz" else ".zip" - archive_path = download_dir / f"{extension}-url-download{suffix}" + safe_name = Path(extension).name or "extension" + archive_path = download_dir / f"{safe_name}-url-download{suffix}" archive_path.write_bytes(archive_data) # Install from downloaded archive @@ -5120,7 +5121,7 @@ def workflow_add( local_fmt = _detect_archive_format(source) try: wf_yaml = _extract_workflow_yml(source_path, local_fmt) - except (ValueError, Exception) as exc: + except Exception as exc: console.print(f"[red]Error:[/red] Failed to extract workflow from archive: {exc}") raise typer.Exit(1) import tempfile