firefrost-gaming/skill-seekers-reference
3
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

fix: add path traversal protection to get_workflow_tool + tests (#325)

Browse Source 
PR #326 added _validate_name() to create/update/delete but missed
get_workflow_tool, which would raise an unhandled ValueError instead of
returning a user-friendly error. Added try/except handling and 6 tests
covering all 4 tool functions with malicious names.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
yusyus
2026-03-28 20:56:52 +03:00
parent a12743769e
commit 6beff3d52f
2 changed files with 79 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/skill_seekers/mcp/tools/workflow_tools.py
View File

@@ -135,6 +135,10 @@ def get_workflow_tool(args: dict) -> list:
name = args.get("name", "").strip()
if not name:
return [TextContent(type="text", text="Error: 'name' parameter is required.")]
try:
_validate_name(name)
except ValueError as exc:
return [TextContent(type="text", text=f"Error: {exc}")]
text = _read_workflow(name)
if text is None: