27282426364
67%

Ran 10 Jun 2026 02:18PM UTC

Jobs 1

Files 751

Run time 2min

Badge

Embed ▾

Committed 10 Jun 2026 02:12PM UTC coverage: 66.288% (+0.001%) from 66.287%

Build # 27282426364

Build Type

push

github

Committed by

web-flow

Commit Message

Prevent path traversal in LocalStore.getFilePath (#5464)

getFilePath constructed file paths with filepath.Join but never
verified the result stayed within basePath. A name like
"../../../etc/passwd" would resolve outside the state directory,
making GetReader, GetWriter, CreateExclusive, Delete, and Exists
all vulnerable to path traversal.

Fix: after filepath.Join (which calls filepath.Clean to resolve ".."
components), check that the result starts with basePath+separator
using the same containment pattern already established in
pkg/fileutils/contained.go. Update the #nosec G304 comments to
reflect that the check is now actually enforced.

Closes #4736

Coverage Stats

29 of 29 new or added lines in 1 file covered. (100.0%)

12 existing lines in 3 files now uncovered.

67293 of 101516 relevant lines covered (66.29%)

63.14 hits per line

Coverage Regressions

Lines	Coverage	∆	File
6	20.11	-3.45%	pkg/client/manager.go
3	73.79	0.45%	pkg/state/local.go
3	78.17	-0.76%	pkg/transport/proxy/httpsse/http_proxy.go

Jobs

ID	Job ID	Ran	Files	Coverage
1	27282426364.1	10 Jun 2026 02:18PM UTC	751	66.29	GitHub Action Run

stacklok / toolhive / 27282426364
67%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Coverage Regressions

Jobs

Source Files on build 27282426364

stacklok / toolhive / 27282426364 67%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Coverage Regressions

Jobs

Source Files on build 27282426364

stacklok / toolhive / 27282426364
67%

README BADGES
x