fix(playlist): sanitize playlist names to prevent path traversal via '/'#1004
Open
berettavexee wants to merge 1 commit into
Open
fix(playlist): sanitize playlist names to prevent path traversal via '/'#1004berettavexee wants to merge 1 commit into
berettavexee wants to merge 1 commit into
Conversation
Playlist names containing '/' were passed directly to clean_filepath(), which preserves slashes as path separators, creating unintended subdirectories. Apply clean_filename() first to replace '/' with '-'. Affects PendingPlaylist.resolve() and PendingLastfmPlaylist.resolve(). Albums were already safe: format_folder_path() passes albumartist and title through clean_filename() before template expansion. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
/were passed directly toclean_filepath(), which preserves slashes as path separators, causing unintended subdirectory creation and potential path traversal outside the download root.clean_filename()beforeclean_filepath()in bothPendingPlaylist.resolve()andPendingLastfmPlaylist.resolve()to replace/with-.Root cause
clean_filename()replaces/with-before sanitizing.clean_filepath()callssanitize_filepath()which intentionally preserves/as a path separator (needed for multi-level folder templates). Playlist folder names are single components and must go throughclean_filename()first.Albums were already safe:
AlbumMetadata.format_folder_path()passesalbumartistandtitlethroughclean_filename()before template expansion.Test plan
/(e.g.Best of 80s/90s) — confirm it creates a single folder namedBest of 80s-90sinstead of nestedBest of 80s/90s/pytest)🤖 Generated with Claude Code