From 15b1cec994155eaaa3c11e05961b84daff8c854f Mon Sep 17 00:00:00 2001 From: Daniel Kennedy Date: Mon, 26 Jan 2026 20:31:02 -0500 Subject: [PATCH] Test: negative check for malicious paths --- .../artifact/__tests__/download-artifact.test.ts | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/packages/artifact/__tests__/download-artifact.test.ts b/packages/artifact/__tests__/download-artifact.test.ts index 3865e20b..2da378d9 100644 --- a/packages/artifact/__tests__/download-artifact.test.ts +++ b/packages/artifact/__tests__/download-artifact.test.ts @@ -929,6 +929,19 @@ describe('download-artifact', () => { const savedFilePath = path.join(fixtures.workspaceDir, sanitizedFileName) expect(fs.existsSync(savedFilePath)).toBe(true) expect(fs.readFileSync(savedFilePath, 'utf8')).toBe(rawFileContent) + + // Verify the file was NOT written outside the workspace directory + const maliciousPathEncoded = path.resolve( + fixtures.workspaceDir, + encodedMaliciousFileName + ) + expect(fs.existsSync(maliciousPathEncoded)).toBe(false) + + const maliciousPath = path.resolve( + fixtures.workspaceDir, + "../../../etc/passwd" + ) + expect(fs.existsSync(maliciousPath)).toBe(false) }) }) })