mirror of
https://github.com/crewAIInc/crewAI.git
synced 2026-05-05 01:02:37 +00:00
a6378961f0
Add path boundary validation in convert_to_path() to ensure resolved paths stay within the knowledge directory. This prevents attackers from using '../' sequences to read arbitrary files outside the knowledge dir. Fixes: - BaseFileKnowledgeSource.convert_to_path() - ExcelKnowledgeSource.convert_to_path() - CrewDoclingSource.validate_content() inline path construction Added tests covering path traversal rejection and valid path acceptance. Co-Authored-By: João <joao@crewai.com>