@@ -26,7 +26,12 @@ func (w *Wrapper) Generate(derivationPath, outputPath string) error {
2626 return fmt .Errorf ("derivation path does not exist: %s" , derivationPath )
2727 }
2828
29- // Validate and sanitize outputPath to prevent path traversal
29+ // Validate and sanitize outputPath to prevent path traversal.
30+ // Security assumption: outputPath is operator-controlled via command-line flags
31+ // (e.g., --output in main.go). Untrusted input must not be accepted here.
32+ // Allowing absolute paths that clean to system locations is intentional since
33+ // input is trusted. If Generate() becomes reachable from untrusted sources,
34+ // this validation must be strengthened.
3035 cleanOutputPath := filepath .Clean (outputPath )
3136 if strings .Contains (cleanOutputPath , ".." ) {
3237 return fmt .Errorf ("invalid output path: path traversal detected" )
@@ -54,7 +59,8 @@ func (w *Wrapper) GenerateMultiple(derivationPaths []string, outputPath string)
5459 return w .Generate (derivationPaths [0 ], outputPath )
5560 }
5661
57- // Validate and sanitize outputPath to prevent path traversal
62+ // Validate and sanitize outputPath to prevent path traversal.
63+ // See security assumption comment in Generate().
5864 cleanOutputPath := filepath .Clean (outputPath )
5965 if strings .Contains (cleanOutputPath , ".." ) {
6066 return fmt .Errorf ("invalid output path: path traversal detected" )
0 commit comments