Severity: HIGH
Location: src/commands/actors/pull.ts:162-175
Parent: #1188
Problem
For SOURCE_FILES actors, file.name from the API response is written via writeFileSync(\${dirpath}/${file.name}`, …)with no sanitization.dirname()does not strip..` components.
Impact
Because users can pull public / other users' actors, file.name is a genuine cross-user trust boundary. A name like ../../.bashrc writes attacker-controlled content outside the target directory (e.g. into the user's home).
Suggested fix
Resolve the path and assert it stays within dirpath before writing:
const target = path.resolve(dirpath, file.name);
if (!target.startsWith(path.resolve(dirpath) + path.sep)) throw new Error('Unsafe path in actor source files');Generated by an ultra code review.
Severity: HIGH
Location:
src/commands/actors/pull.ts:162-175Parent: #1188
Problem
For
SOURCE_FILESactors,file.namefrom the API response is written viawriteFileSync(\${dirpath}/${file.name}`, …)with no sanitization.dirname()does not strip..` components.Impact
Because users can pull public / other users' actors,
file.nameis a genuine cross-user trust boundary. A name like../../.bashrcwrites attacker-controlled content outside the target directory (e.g. into the user's home).Suggested fix
Resolve the path and assert it stays within
dirpathbefore writing:Generated by an ultra code review.