[PR #779] [MERGED] Attachment filename path traversal #780

New issue

Closed

opened 2026-02-26 22:32:31 +03:00 by kerem · 0 comments

kerem commented

2026-02-26 22:32:31 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/rudrankriyam/App-Store-Connect-CLI/pull/779
Author: @cursor[bot]
Created: 2/25/2026
Status: ✅ Merged
Merged: 2/25/2026
Merged by: @rudrankriyam

Base: feat/web-review-resolution ← Head: cursor/attachment-filename-path-traversal-7b2b

📝 Commits (1)

3cc9539 Sanitize review attachment download filenames

📊 Changes

2 files changed (+35 additions, -1 deletions)

View changed files

📝 internal/cli/web/web_review.go (+4 -1)
➕ internal/cli/web/web_review_test.go (+31 -0)

📄 Description

Summary

Fixed a path traversal vulnerability in attachment download filename handling by sanitizing filenames with filepath.Base to prevent directory traversal sequences.

Validation

make format
make lint
make test

Wall of Apps (only if this PR adds/updates a Wall app)

I ran make generate app APP="..." LINK="..." CREATOR="..." PLATFORM="..." (or manually edited docs/wall-of-apps.json + ran make update-wall-of-apps)
I committed all generated files:
- docs/wall-of-apps.json
- README.md

Entry template:

{
  "app": "Your App Name",
  "link": "https://apps.apple.com/app/id1234567890",
  "creator": "your-github-handle",
  "platform": ["iOS"]
}

Common Apple labels: iOS, macOS, watchOS, tvOS, visionOS.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/rudrankriyam/App-Store-Connect-CLI/pull/779 **Author:** [@cursor[bot]](https://github.com/apps/cursor) **Created:** 2/25/2026 **Status:** ✅ Merged **Merged:** 2/25/2026 **Merged by:** [@rudrankriyam](https://github.com/rudrankriyam) **Base:** `feat/web-review-resolution` ← **Head:** `cursor/attachment-filename-path-traversal-7b2b` --- ### 📝 Commits (1) - [`3cc9539`](https://github.com/rudrankriyam/App-Store-Connect-CLI/commit/3cc95391eb4ee19eae5eaf59cef4c8919f85aabf) Sanitize review attachment download filenames ### 📊 Changes **2 files changed** (+35 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `internal/cli/web/web_review.go` (+4 -1) ➕ `internal/cli/web/web_review_test.go` (+31 -0) </details> ### 📄 Description ## Summary - Fixed a path traversal vulnerability in attachment download filename handling by sanitizing filenames with `filepath.Base` to prevent directory traversal sequences. ## Validation - [x] `make format` - [x] `make lint` - [x] `make test` ## Wall of Apps (only if this PR adds/updates a Wall app) - [ ] I ran `make generate app APP="..." LINK="..." CREATOR="..." PLATFORM="..."` (or manually edited `docs/wall-of-apps.json` + ran `make update-wall-of-apps`) - [ ] I committed all generated files: - `docs/wall-of-apps.json` - `README.md` Entry template: ```json { "app": "Your App Name", "link": "https://apps.apple.com/app/id1234567890", "creator": "your-github-handle", "platform": ["iOS"] } ``` Common Apple labels: `iOS`, `macOS`, `watchOS`, `tvOS`, `visionOS`. --- --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>