fix: path traversal in yaml_vault_config_repository via assertPathContained (#393)

[stack72]

Summary

Fixes the path traversal vulnerability reported in #393.

getTypeDir() in YamlVaultConfigRepository passed the user-supplied vaultType string directly to join() with no validation, allowing a crafted type like "../../.ssh" to escape .swamp/vault/.

The fix pattern already existed in unified_data_repository.ts via assertPathContained(). This change applies the same approach here.

Plan vs Implementation

The plan (issue #393) identified two possible fix approaches:

1. Add component validation rejecting .., /, \, and null bytes
2. Use assertPathContained() from unified_data_repository.ts

Implementation chose option 2 — porting assertPathContained() directly — because:

• It is already proven and in use for the same class of problem
• It uses resolve() to handle all path normalisation edge cases (not just literal .. segments)
• It keeps the fix consistent with the existing codebase pattern

Changes

• Added resolve to the @std/path import alongside the existing join
• Ported assertPathContained() from unified_data_repository.ts (identical logic: resolves both paths and checks prefix containment)
• Updated getTypeDir() to call assertPathContained() after constructing the candidate path, throwing before any I/O if the path escapes the vault base directory
• Created yaml_vault_config_repository_test.ts with three tests:
  • Normal vault types ("aws", "local_encryption") resolve without error
  • "../../.ssh" throws Error: Path traversal detected
  • "../foo" throws Error: Path traversal detected

getPath() requires no further change — it already depends on the validated output of getTypeDir().

Test Plan

• deno check — type checking passes
• deno lint — no lint errors
• deno fmt — code formatted
• New tests pass: deno run test src/infrastructure/persistence/yaml_vault_config_repository_test.ts (3/3)
• Full test suite passes: deno run test (1792/1792)
• deno run compile — binary recompiles cleanly

Reported-by: @umag

[github-actions]

✅ Approved

This PR correctly fixes the path traversal vulnerability reported in #393. The implementation is sound.

What I Verified

Security:

• The assertPathContained() function uses resolve() to normalize paths before comparison, handling edge cases beyond literal .. segments
• All public methods (findById, findAllByType, save, delete) flow through getTypeDir() which validates before any I/O
• Absolute path injection (e.g., /etc/passwd) is also blocked since join() replaces prior segments with absolute paths, which would then fail the containment check

Code Style (CLAUDE.md):

• ✅ No any types
• ✅ Named exports used
• ✅ AGPLv3 license header present
• ✅ Test file next to source file
• ✅ Uses @std/assert for assertions

DDD:

• ✅ Repository pattern correctly implemented
• ✅ Path validation is an appropriate infrastructure-level concern

Test Coverage:

• ✅ Tests cover valid vault types and path traversal detection
• ✅ Proper cleanup in finally blocks

Suggestions (non-blocking)

1. Consider extracting assertPathContained to a shared utility — The function is now duplicated between unified_data_repository.ts and yaml_vault_config_repository.ts. A shared path_security.ts module could reduce duplication. However, the current approach is consistent with existing patterns, so this is fine to leave as-is.

🤖 Generated with Claude Code