From 19e11e59dd28af724f2f5b6391f27771e09afe51 Mon Sep 17 00:00:00 2001 From: Your Name Date: Mon, 29 Jun 2026 15:57:34 +0800 Subject: [PATCH 1/2] fix(security): prevent inventory validator overwriting input --- ...thenticated-inventory-payload-validator.py | 2 ++ ...thenticated_inventory_payload_validator.py | 24 +++++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/scripts/security/gitea-authenticated-inventory-payload-validator.py b/scripts/security/gitea-authenticated-inventory-payload-validator.py index d654274e0..c41bdc43d 100644 --- a/scripts/security/gitea-authenticated-inventory-payload-validator.py +++ b/scripts/security/gitea-authenticated-inventory-payload-validator.py @@ -260,6 +260,8 @@ def main() -> int: validation = validate_payload(load_json(args.input)) text = json.dumps(validation, ensure_ascii=False, indent=2) + "\n" if args.output: + if args.output.resolve() == args.input.resolve(): + raise SystemExit("output_must_not_equal_input") args.output.parent.mkdir(parents=True, exist_ok=True) args.output.write_text(text, encoding="utf-8") else: diff --git a/scripts/security/tests/test_gitea_authenticated_inventory_payload_validator.py b/scripts/security/tests/test_gitea_authenticated_inventory_payload_validator.py index 45c300a1c..92a95db21 100644 --- a/scripts/security/tests/test_gitea_authenticated_inventory_payload_validator.py +++ b/scripts/security/tests/test_gitea_authenticated_inventory_payload_validator.py @@ -72,6 +72,30 @@ def test_rejects_execution_request(tmp_path: Path) -> None: assert validation["operation_boundaries"]["gitea_write_performed"] is False +def test_output_must_not_overwrite_input(tmp_path: Path) -> None: + payload_path = tmp_path / "inventory.json" + original = json.dumps(valid_payload()) + payload_path.write_text(original, encoding="utf-8") + + result = subprocess.run( + [ + sys.executable, + str(SCRIPT), + "--input", + str(payload_path), + "--output", + str(payload_path), + ], + text=True, + capture_output=True, + check=False, + ) + + assert result.returncode != 0 + assert "output_must_not_equal_input" in result.stderr + assert payload_path.read_text(encoding="utf-8") == original + + def valid_payload() -> dict: repos = [ repo("wooo/awoooi"), From 0ff377af6fd0121c759fef2ef11630c3a3aac976 Mon Sep 17 00:00:00 2001 From: Your Name Date: Mon, 29 Jun 2026 15:59:16 +0800 Subject: [PATCH 2/2] fix(security): resolve gitea inventory validator input from repo root --- .../gitea-authenticated-inventory-payload-validator.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scripts/security/gitea-authenticated-inventory-payload-validator.py b/scripts/security/gitea-authenticated-inventory-payload-validator.py index c41bdc43d..8f7528a2d 100644 --- a/scripts/security/gitea-authenticated-inventory-payload-validator.py +++ b/scripts/security/gitea-authenticated-inventory-payload-validator.py @@ -48,6 +48,7 @@ SECRET_PATTERNS = { "token_assignment": re.compile(r"\btoken\s*[:=]\s*[^,\s]+", re.IGNORECASE), } SECRET_QUERY_KEYS = {"access_token", "auth", "key", "password", "secret", "token"} +ROOT = Path(__file__).resolve().parents[2] def parse_args() -> argparse.Namespace: @@ -57,7 +58,7 @@ def parse_args() -> argparse.Namespace: parser.add_argument( "--input", type=Path, - default=Path("docs/security/gitea-repo-inventory.snapshot.json"), + default=ROOT / "docs/security/gitea-repo-inventory.snapshot.json", help="Payload JSON to validate.", ) parser.add_argument("--output", type=Path, help="Write validation JSON here.")