fix: address review feedback on PR #93

- Fix Retry-After slice mutation: copy c.RetryBackoff before modifying to prevent permanent mutation of the shared slice (sonnet#1, security#1) - Cap Retry-After to 120s maximum to prevent excessive sleeps (security#2) - Guard auth header: only set Authorization when token is non-empty (gpt#2) - Fix GetFileContent doc comment to match actual behavior (sonnet#3, gpt#1) - Remove dead 'in_progress/queued' case in mapCheckRunStatus (sonnet#4) - Add testing.Short() guard to slow retry test (sonnet#5) - Reject dot-segments in escapePath to prevent path traversal (security#3) - Add regression tests for non-mutation and escapePath safety
2026-05-12 15:43:45 -07:00
parent d1ef1e21e5
commit 5b43afc6d4
5 changed files with 86 additions and 13 deletions
@@ -275,3 +275,23 @@ func TestDecodeBase64Content_Invalid(t *testing.T) {
 		t.Fatal("expected error for invalid base64")
 	}
 }
+
+func TestEscapePath_RejectsDotSegments(t *testing.T) {
+	tests := []struct {
+		input string
+		want  string
+	}{
+		{"src/main.go", "src/main.go"},
+		{"../etc/passwd", "etc/passwd"},
+		{"./src/../main.go", "src/main.go"},
+		{"a/b/c", "a/b/c"},
+		{"file with spaces.go", "file%20with%20spaces.go"},
+		{"a/./b/../c", "a/b/c"},
+	}
+	for _, tt := range tests {
+		got := escapePath(tt.input)
+		if got != tt.want {
+			t.Errorf("escapePath(%q) = %q, want %q", tt.input, got, tt.want)
+		}
+	}
+}