Skip to content

fix(security): validate pkg_name and pkg_id as path components#184

Merged
QaidVoid merged 1 commit into
mainfrom
fix/pkg-name-path-traversal
Jul 16, 2026
Merged

fix(security): validate pkg_name and pkg_id as path components#184
QaidVoid merged 1 commit into
mainfrom
fix/pkg-name-path-traversal

Conversation

@QaidVoid

@QaidVoid QaidVoid commented Jul 16, 2026

Copy link
Copy Markdown
Member

Summary by CodeRabbit

  • Bug Fixes
    • Added path-safety validation for package names and IDs.
    • Rejected package paths containing traversal sequences, absolute paths, or nested components.
    • Prevented unsafe packages from being imported or installed.
    • Added coverage for invalid package path scenarios.

@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ec52380a-b71e-49b2-986d-1b9a7ed07172

📥 Commits

Reviewing files that changed from the base of the PR and between c4b34f9 and 20d700e.

📒 Files selected for processing (3)
  • crates/soar-core/src/package/url.rs
  • crates/soar-db/src/repository/metadata.rs
  • crates/soar-operations/src/install.rs

📝 Walkthrough

Walkthrough

Package URL and GHCR parsing now reject unsafe package names and identifiers. Remote metadata insertion skips invalid packages, while single-package installation fails before using unsafe path components.

Changes

Package path safety

Layer / File(s) Summary
URL package validation
crates/soar-core/src/package/url.rs
Derived and overridden pkg_name and pkg_id values are validated as safe single path components for GHCR and URL construction, with traversal rejection tests.
Remote metadata insertion guard
crates/soar-db/src/repository/metadata.rs
Remote package insertion logs a warning and skips packages whose name or identifier is not a safe path component.
Installation path guard
crates/soar-operations/src/install.rs
Single-package installation returns an error for unsafe package names or identifiers before constructing the install directory path.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Possibly related PRs

  • pkgforge/soar#182: Applies related is_safe_component validation to remote package provides values and symlink handling.
  • pkgforge/soar#183: Extends path-component validation to repository and configuration validation.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main security fix: validating pkg_name and pkg_id as safe path components.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/pkg-name-path-traversal

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@cloudflare-workers-and-pages

Copy link
Copy Markdown

Deploying soar-docs with  Cloudflare Pages  Cloudflare Pages

Latest commit: 20d700e
Status: ✅  Deploy successful!
Preview URL: https://12890281.soar-docs.pages.dev
Branch Preview URL: https://fix-pkg-name-path-traversal.soar-docs.pages.dev

View logs

@QaidVoid
QaidVoid merged commit 97a0f57 into main Jul 16, 2026
10 of 11 checks passed
This was referenced Jul 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant