Skip to content

[micro-fix] fix(security): H-07 — Prevent path traversal in credential IDs#5594

Open
shibinsp wants to merge 1 commit intoaden-hive:mainfrom
shibinsp:fix/h07-path-traversal-credentials
Open

[micro-fix] fix(security): H-07 — Prevent path traversal in credential IDs#5594
shibinsp wants to merge 1 commit intoaden-hive:mainfrom
shibinsp:fix/h07-path-traversal-credentials

Conversation

@shibinsp
Copy link

@shibinsp shibinsp commented Mar 1, 2026

Fixes #5563

Summary

Adds strict input sanitization to credential IDs to prevent path traversal attacks.

Severity: 🟠 High — Crafted credential IDs could access files outside the credential store.

Changes

  • Added _sanitize_id() with strict regex sanitization
  • Strips all path separators, dots, and special characters

Files Changed

  • framework/credential_storage.py — +15 lines

Test Plan

  • All 5 tests passing on fix branch

Note: Using micro-fix bypass. Please assign me to the linked issue.

@claude
security(H-07): replace simplistic path traversal sanitization
9b9e7da 
Replace character-by-character slash/dot replacement with a strict
allowlist regex that only permits alphanumeric, hyphens, and
underscores in credential IDs.

Applied to both:
- LocalFileStorage._cred_path() — with additional resolved-path check
- HashiCorpVault._path() — with strict regex sanitization

The previous approach (replacing / and \\ with _) missed encoded
sequences, null bytes, and other traversal vectors.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security] H-07: Path traversal in credential storage (High)

1 participant

@shibinsp