Harden automation storage ids#3443
Conversation
Validate automation and run ids before composing durable storage paths so caller-supplied ids cannot escape the automations or runs roots. Tests cover read/list/write rejection for path-like automation and run ids.
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
There was a problem hiding this comment.
Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces path validation for automation and run IDs in the AutomationManager to prevent path traversal vulnerabilities, updating path-resolving methods to return a Result and adding comprehensive unit tests. The feedback suggests simplifying the validate_storage_id function by removing the redundant id.trim() != id check, as any leading or trailing whitespace would already fail the ASCII alphanumeric and hyphen/underscore check.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| if id.is_empty() | ||
| || id.trim() != id | ||
| || !id | ||
| .bytes() | ||
| .all(|b| b.is_ascii_alphanumeric() || b == b'-' || b == b'_') | ||
| { | ||
| bail!("{label} must be a safe path segment"); | ||
| } |
There was a problem hiding this comment.
The check id.trim() != id is redundant because any leading or trailing whitespace characters (or any other characters stripped by trim()) are not ASCII alphanumeric, -, or _. Therefore, any string with such characters will already fail the .bytes().all(...) check. Removing this redundant check simplifies the validation logic.
if id.is_empty()
|| !id
.bytes()
.all(|b| b.is_ascii_alphanumeric() || b == b'-' || b == b'_')
{
bail!("{label} must be a safe path segment");
}
|
Closing this narrower branch because the same automation storage-id hardening is already covered in the broader v0.8.65 local-state hardening PR #3433. |
1 participant
Goal
Harden durable automation storage path construction for the v0.8.65 lane.
Changes
Verification
Risks
Low. CodeWhale-generated automation and run ids are UUID strings, which remain accepted. The new guard rejects only ids that are not safe single path segments.