chore(scripts): Add git worktree management tools #5497
1 issue
find-bugs: Found 1 issue (1 medium)
Medium
Path traversal allows worktree creation outside intended directory - `scripts/worktree-create.sh:17`
The Makefile regex validation ^[a-zA-Z0-9_/-]+The Makefile regex validation permits forward slashes in the NAME parameter. This allows path traversal sequences like ../../footo create worktrees outside the intended.worktrees` directory. An attacker with access to the Makefile target could create worktrees in arbitrary locations within the filesystem (relative to repo root), potentially overwriting or polluting other directories.
Also found at:
scripts/worktree-delete.sh:13
Duration: 51.1s · Tokens: 119.4k in / 4.2k out · Cost: $0.26 (+merge: $0.00)
Annotations
Check warning on line 17 in scripts/worktree-create.sh
github-actions / warden: find-bugs
Path traversal allows worktree creation outside intended directory
The Makefile regex validation `^[a-zA-Z0-9_/-]+The Makefile regex validation permits forward slashes in the NAME parameter. This allows path traversal sequences like `../../foo` to create worktrees outside the intended `.worktrees` directory. An attacker with access to the Makefile target could create worktrees in arbitrary locations within the filesystem (relative to repo root), potentially overwriting or polluting other directories.
Check warning on line 13 in scripts/worktree-delete.sh
github-actions / warden: find-bugs
[QA3-AZZ] Path traversal allows worktree creation outside intended directory (additional location)
The Makefile regex validation `^[a-zA-Z0-9_/-]+The Makefile regex validation permits forward slashes in the NAME parameter. This allows path traversal sequences like `../../foo` to create worktrees outside the intended `.worktrees` directory. An attacker with access to the Makefile target could create worktrees in arbitrary locations within the filesystem (relative to repo root), potentially overwriting or polluting other directories.