fix(security): prevent path traversal in credentials file deletion

Use path.resolve() to normalize paths before comparison in removeIncludeIfCredentials(). The previous startsWith() check was vulnerable to path traversal attacks where a path like "/tmp/runner/../../../etc/passwd" would pass the check but resolve outside RUNNER_TEMP. Also append path.sep to prevent false positives (e.g., /tmp/runner2 matching /tmp/runner).
2026-01-23 10:06:08 +00:00 · 2026-01-23 10:06:08 +00:00 · d9ef76f1ac
commit d9ef76f1ac
parent ca2f66fc96
2 changed files with 10 additions and 2 deletions
--- a/dist/index.js
+++ b/dist/index.js
@ -1392,7 +1392,10 @@ class GitConfigHelper {
            }
            // Delete only our credentials config file
            const runnerTemp = process.env['RUNNER_TEMP'];
-            if (runnerTemp && this.credentialsConfigPath.startsWith(runnerTemp)) {
+            const resolvedCredentialsPath = path.resolve(this.credentialsConfigPath);
            const resolvedRunnerTemp = runnerTemp ? path.resolve(runnerTemp) : '';
            if (resolvedRunnerTemp &&
                resolvedCredentialsPath.startsWith(resolvedRunnerTemp + path.sep)) {
                try {
                    yield fs.promises.unlink(this.credentialsConfigPath);
                    core.info(`Removed credentials config file: ${this.credentialsConfigPath}`);
--- a/src/git-config-helper.ts
+++ b/src/git-config-helper.ts
@ -303,7 +303,12 @@ export class GitConfigHelper {
    // Delete only our credentials config file
    const runnerTemp = process.env['RUNNER_TEMP']
-    if (runnerTemp && this.credentialsConfigPath.startsWith(runnerTemp)) {
+    const resolvedCredentialsPath = path.resolve(this.credentialsConfigPath)
    const resolvedRunnerTemp = runnerTemp ? path.resolve(runnerTemp) : ''
    if (
      resolvedRunnerTemp &&
      resolvedCredentialsPath.startsWith(resolvedRunnerTemp + path.sep)
    ) {
      try {
        await fs.promises.unlink(this.credentialsConfigPath)
        core.info(