π‘οΈ Sentinel: [CRITICAL] Fix path traversal in CustomEmployeeManager#150
π‘οΈ Sentinel: [CRITICAL] Fix path traversal in CustomEmployeeManager#150mleem97 wants to merge 1 commit into
Conversation
|
π Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a π emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
π¨ Severity: CRITICAL
π‘ Vulnerability: The
idparameter inCustomEmployeeManager.Registeris not validated, which allows path traversal attacks when theidis subsequently used to construct file paths for the employee's portrait image inSetPortrait.π― Impact: An attacker or malicious mod could register an employee with an ID like
../../secrets.txtleading to arbitrary file read issues when the mod attempts to load portrait assets.π§ Fix: Added input validation for the
idargument in theCustomEmployeeManager.Registermethod to check for invalid filename characters (Path.GetInvalidFileNameChars()) and... If found, registration is rejected.β Verification: Verified that tests pass via
dotnet testand the code builds successfully. The added journal entry in.jules/sentinel.mddocuments this critical learning.PR created automatically by Jules for task 11384705067694518917 started by @mleem97