fix(config): prevent path traversal manipulation of target changelog location

codejedi365 · codejedi365 · commit 43e35d0972e8 · 2024-07-04T10:52:52.000-06:00
diff --git a/semantic_release/cli/config.py b/semantic_release/cli/config.py
@@ -568,15 +568,15 @@ def from_raw_config(  # noqa: C901
         )
 
         # changelog_file
-        changelog_file = Path(raw.changelog.changelog_file).resolve()
+        changelog_file = Path(raw.changelog.changelog_file).expanduser().resolve()
 
         # Prevent path traversal attacks
         if raw.repo_dir not in changelog_file.parents:
             raise InvalidConfiguration(
                 "Changelog file destination must be inside of the repository directory."
             )
 
-        template_dir = (raw.repo_dir / raw.changelog.template_dir).resolve()
+        template_dir = Path(raw.changelog.template_dir).expanduser().resolve()
 
         # Prevent path traversal attacks
         if raw.repo_dir not in template_dir.parents:

Original file line number	Diff line number	Diff line change
`@@ -568,15 +568,15 @@ def from_raw_config( # noqa: C901`
`568`	`568`	`)`
`569`	`569`
`570`	`570`	`# changelog_file`
`571`		`- changelog_file = Path(raw.changelog.changelog_file).resolve()`
	`571`	`+ changelog_file = Path(raw.changelog.changelog_file).expanduser().resolve()`
`572`	`572`
`573`	`573`	`# Prevent path traversal attacks`
`574`	`574`	`if raw.repo_dir not in changelog_file.parents:`
`575`	`575`	`raise InvalidConfiguration(`
`576`	`576`	`"Changelog file destination must be inside of the repository directory."`
`577`	`577`	`)`
`578`	`578`
`579`		`- template_dir = (raw.repo_dir / raw.changelog.template_dir).resolve()`
	`579`	`+ template_dir = Path(raw.changelog.template_dir).expanduser().resolve()`
`580`	`580`
`581`	`581`	`# Prevent path traversal attacks`
`582`	`582`	`if raw.repo_dir not in template_dir.parents:`