Context
PR #242 deletes engine/src/validate.rs and its pub use validate::validate_safe_output_path re-export from lib.rs. This function provides path traversal protection and is needed by both the CLI and the new side_inference module.
Impact
- Breaking public API for any downstream consumer of
infiniloom_engine
side_inference/mod.rs:96-107 has a path traversal vulnerability in find_manifest_for_file that this function could protect againstinstall.rs writes to arbitrary paths without validation
Suggested Fix
- Restore
validate.rs or move to CLI crate
- Apply path validation in
find_manifest_for_file and install.rs
Files
engine/src/lib.rsengine/src/validate.rs (deleted)engine/src/side_inference/mod.rs:96-107cli/src/commands/install.rs
Severity
High
Found during review of #242
Context
PR #242 deletes
engine/src/validate.rsand itspub use validate::validate_safe_output_pathre-export fromlib.rs. This function provides path traversal protection and is needed by both the CLI and the newside_inferencemodule.Impact
infiniloom_engineside_inference/mod.rs:96-107has a path traversal vulnerability infind_manifest_for_filethat this function could protect againstinstall.rswrites to arbitrary paths without validationSuggested Fix
validate.rsor move to CLI cratefind_manifest_for_fileandinstall.rsFiles
engine/src/lib.rsengine/src/validate.rs(deleted)engine/src/side_inference/mod.rs:96-107cli/src/commands/install.rsSeverity
High
Found during review of #242