fix(extensions): wire up list --available catalog query + harden add --from path traversal#2
Closed
darion-yaphet wants to merge 2 commits into
Closed
Conversation
…ry the catalog - extension add --from: sanitize the extension label before building the download filename so "../" path separators can no longer escape the downloads dir and overwrite arbitrary files - extension list --available/--all: actually query the catalog and list uninstalled extensions (filtering out installed IDs), instead of only printing a static install hint that contradicted the CLI help and docs
… path traversal Add regression coverage for the two behaviors wired up in the preceding fix: - list --available/--all: queries the catalog, filters installed IDs, marks discovery-only entries, reports an empty catalog, and exits 1 on catalog failure. - add --from <url>: a label containing path separators is sanitized so the download cannot escape the downloads cache dir. Both suites were verified red against the pre-fix behavior and green after.
Owner
Author
|
Re-targeting to upstream github/spec-kit; closing this fork-internal PR. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Splits the user-visible behavior change out of the PR-7 structural refactor (github#3014) into its own reviewable PR, with test coverage.
Stacked on top of
refactor/split-init-pr7(github#3014) — base will retarget tomainonce github#3014 merges.Why
The
extension list --available/--allflags have existed since the original extension system (github#1551) and their help text has always advertised "Show available extensions from catalog". But the implementation was a stub that only printed a static install hint and never queried the catalog. TheExtensionCataloginfrastructure was already present — the flags were simply never wired to it. This is a long-standing dead/misleading-flag fix, orthogonal to the structural move, so it does not belong silently inside a "no behavior change" refactor PR.Changes
extension list --available/--all: actually query the catalog and list uninstalled extensions (filtering out installed IDs), instead of the static hint that contradicted the CLI help and docs.--availablelists catalog-only;--alllists installed + available. Surfaces a clear error and exits non-zero when the catalog is unavailable.extension add --from <url>: sanitize the extension label before building the download filename, so../-style separators can no longer escape the downloads cache dir (path traversal).Tests
test_extension_list_available.py— catalog query, installed-ID filtering, discovery-only entries, empty catalog, catalog-error exit,--allshowing both sections.test_extension_add_path_traversal.py— a traversal label is sanitized so the download stays inside the downloads dir.Both suites were verified red against the pre-fix behavior and green after.