andre/crewAI
1
0
Fork 0
mirror of https://github.com/crewAIInc/crewAI.git synced 2026-01-11 17:18:29 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

fix: add security validation for output_file paths

Browse Source 
Co-Authored-By: Joe Moura <joao@crewai.com>
This commit is contained in:
Devin AI
2024-12-29 03:23:29 +00:00
parent 8871d9a6cd
commit ce4a730f76
2 changed files with 119 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
tests/task_test.py
View File

@@ -875,3 +875,25 @@ def test_key():
assert (
task.key == hash
), "The key should be the hash of the non-interpolated description."
def test_output_file_validation():
"""Test output file path validation."""
# Valid paths
assert Task(output_file="output.txt").output_file == "output.txt"
assert Task(output_file="/tmp/output.txt").output_file == "tmp/output.txt"
assert Task(output_file="{dir}/output_{date}.txt").output_file == "{dir}/output_{date}.txt"
# Invalid paths
with pytest.raises(ValueError, match="Path traversal"):
Task(output_file="../output.txt")
with pytest.raises(ValueError, match="Path traversal"):
Task(output_file="folder/../output.txt")
with pytest.raises(ValueError, match="Shell special characters"):
Task(output_file="output.txt | rm -rf /")
with pytest.raises(ValueError, match="Shell expansion"):
Task(output_file="~/output.txt")
with pytest.raises(ValueError, match="Shell expansion"):
Task(output_file="$HOME/output.txt")
with pytest.raises(ValueError, match="Invalid template variable"):
Task(output_file="{invalid-name}/output.txt")