fix: sanitize enrichment target_file path traversal
Some checks are pending
CI / lint-and-test (push) Waiting to run
Some checks are pending
CI / lint-and-test (push) Waiting to run
Path(target).name strips directory components from LLM-generated target filenames, preventing path traversal via ../. Same pattern already applied to claim filenames (line 404) and entity filenames (line 416). Ganymede-approved. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
46ad508de7
commit
4c3ce265e4
1 changed files with 1 additions and 1 deletions
|
|
@ -483,7 +483,7 @@ async def _extract_one_source(
|
|||
if not target or not evidence:
|
||||
continue
|
||||
# Find the target claim file in the worktree (search domains/)
|
||||
target_stem = target.replace(".md", "")
|
||||
target_stem = Path(target.replace(".md", "")).name
|
||||
found = None
|
||||
for domain_dir in (worktree / "domains").iterdir():
|
||||
candidate = domain_dir / f"{target_stem}.md"
|
||||
|
|
|
|||
Loading…
Reference in a new issue