Harden Windows hash quoting and CI failure check

Copilot · bytemain · web-flow · commit c9d091672042 · 2026-05-01T14:03:04.000Z
Agent-Logs-Url: https://github.com/version-fox/vfox-python/sessions/5852e539-b06d-4c0c-b5d1-b981726a91d9 Co-authored-by: bytemain <13938334+bytemain@users.noreply.github.com>
diff --git a/.github/workflows/vfox-test.yaml b/.github/workflows/vfox-test.yaml
@@ -151,7 +151,7 @@ jobs:
           Invoke-Expression "$(vfox activate pwsh)"
           $install_output = vfox install python@3.10.20 2>&1
           $install_output | Write-Output
-          if ($LASTEXITCODE -ne 0 -or ($install_output -join "`n") -like "*failed to install python*") {
+          if ($LASTEXITCODE -ne 0 -or ($install_output -join "`n") -ilike "*failed to install python*") {
               exit 1
           }
           vfox use -g python@3.10.20
diff --git a/lib/util.lua b/lib/util.lua
@@ -228,11 +228,21 @@ function useUvBuild()
     return value == "1" or value == "true" or value == "yes" or value == "on"
 end
 
+local function containsTraversalSegment(value)
+    local normalizedValue = string.gsub(value, "\\", "/")
+    for segment in string.gmatch(normalizedValue, "[^/]+") do
+        if segment == ".." then
+            return true
+        end
+    end
+    return false
+end
+
 local function shellQuote(value)
     if string.find(value, "[\r\n%z]") then
         error("Path contains unsupported control character: " .. value)
     end
-    if string.find(value, "%.%.%/") or string.find(value, "%.%.\\") then
+    if containsTraversalSegment(value) then
         error("Path contains unsupported traversal segment: " .. value)
     end
 
@@ -250,7 +260,7 @@ local function powershellQuote(value)
     if string.find(value, "[\r\n%z]") then
         error("Path contains unsupported control character: " .. value)
     end
-    if string.find(value, "%.%.%/") or string.find(value, "%.%.\\") then
+    if containsTraversalSegment(value) then
         error("Path contains unsupported traversal segment: " .. value)
     end
 
@@ -469,6 +479,7 @@ local function verifyUvBuildArchive(path, sha256)
 
     local status
     if RUNTIME.osType == "windows" or OS_TYPE == "windows" then
+        -- shellQuote quotes for cmd.exe; powershellQuote quotes the archive path inside the PowerShell command.
         local command = "powershell -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command " ..
             shellQuote("(Get-FileHash -LiteralPath " .. powershellQuote(path) .. " -Algorithm SHA256).Hash")
         local handle = io.popen(command)

Original file line number	Diff line number	Diff line change
`@@ -151,7 +151,7 @@ jobs:`
`151`	`151`	`Invoke-Expression "$(vfox activate pwsh)"`
`152`	`152`	`$install_output = vfox install python@3.10.20 2>&1`
`153`	`153`	`$install_output \| Write-Output`
`154`		- if ($LASTEXITCODE -ne 0 -or ($install_output -join "`n") -like "failed to install python") {
	`154`	+ if ($LASTEXITCODE -ne 0 -or ($install_output -join "`n") -ilike "failed to install python") {
`155`	`155`	`exit 1`
`156`	`156`	`}`
`157`	`157`	`vfox use -g python@3.10.20`