Problem
specs/sources.yaml path fields are joined directly with work/sync roots without rejecting absolute paths or .. traversal. A bad source config can read from or write outside the intended cache subdirectories during sync.
Evidence
internal/sourceconfig/sources.go validates backend blocks and pinned refs, but does not validate file paths, proto staging paths, entries, or import roots.internal/specsync/swagger.go uses filepath.Join(workDir, rel) and filepath.Join(syncDir, rel) for swagger.files.internal/specsync/openapi3.go does the same for openapi3.files.internal/specsync/proto.go joins proto.staging.from, proto.staging.to, proto.entries, and proto.import_roots without containment checks.
Expected behavior
Source config validation should reject absolute paths, parent traversal, empty path segments, and unsafe proto staging targets. Sync should also enforce containment after filepath.Clean / filepath.Rel before copying or invoking protoc.
Verification
make test currently passes; existing source config tests cover pinned ref validation but not path containment.
Problem
specs/sources.yamlpath fields are joined directly with work/sync roots without rejecting absolute paths or..traversal. A bad source config can read from or write outside the intended cache subdirectories during sync.Evidence
internal/sourceconfig/sources.govalidates backend blocks and pinned refs, but does not validate file paths, proto staging paths, entries, or import roots.internal/specsync/swagger.gousesfilepath.Join(workDir, rel)andfilepath.Join(syncDir, rel)forswagger.files.internal/specsync/openapi3.godoes the same foropenapi3.files.internal/specsync/proto.gojoinsproto.staging.from,proto.staging.to,proto.entries, andproto.import_rootswithout containment checks.Expected behavior
Source config validation should reject absolute paths, parent traversal, empty path segments, and unsafe proto staging targets. Sync should also enforce containment after
filepath.Clean/filepath.Relbefore copying or invokingprotoc.Verification
make testcurrently passes; existing source config tests cover pinned ref validation but not path containment.