Context
In src/config/schema.rs (line 74):
A malicious template could set answers.file to something like ../../.bashrc and overwrite files outside the output directory. While this is low risk since users opt in to running templates, it's worth defending against.
Suggestion
Add validation during config parsing or plan_generation that the answers filename:
- Does not contain
..
- Is not an absolute path
- Does not escape the output directory
This would be a defense-in-depth measure consistent with the existing security posture (e.g., cache key sanitization in cache.rs:74).
Context
In
src/config/schema.rs(line 74):A malicious template could set
answers.fileto something like../../.bashrcand overwrite files outside the output directory. While this is low risk since users opt in to running templates, it's worth defending against.Suggestion
Add validation during config parsing or
plan_generationthat the answers filename:..This would be a defense-in-depth measure consistent with the existing security posture (e.g., cache key sanitization in
cache.rs:74).