fix(config): fix path traversal detection for windows compatibility (python-semantic-release#1014)

codejedi365 · codejedi365 · commit 16e6daaf851c · 2024-09-01T11:23:35.000-06:00
The original implementation of the path traversal detection expected that `resolve()` works the same on windows as it does with Linux/Mac. Windows requires the folder paths to exist to be resolved and that is not the case when the `template_dir` is not being used. Resolves: python-semantic-release#994
diff --git a/semantic_release/cli/config.py b/semantic_release/cli/config.py
@@ -568,15 +568,25 @@ def from_raw_config(  # noqa: C901
         )
 
         # changelog_file
-        changelog_file = Path(raw.changelog.changelog_file).expanduser().resolve()
+        # Must use absolute after resolve because windows does not resolve if the path does not exist
+        # which means it returns a relative path. So we force absolute to ensure path is complete
+        # for the next check of path matching
+        changelog_file = (
+            Path(raw.changelog.changelog_file).expanduser().resolve().absolute()
+        )
 
         # Prevent path traversal attacks
         if raw.repo_dir not in changelog_file.parents:
             raise InvalidConfiguration(
                 "Changelog file destination must be inside of the repository directory."
             )
 
-        template_dir = Path(raw.changelog.template_dir).expanduser().resolve()
+        # Must use absolute after resolve because windows does not resolve if the path does not exist
+        # which means it returns a relative path. So we force absolute to ensure path is complete
+        # for the next check of path matching
+        template_dir = (
+            Path(raw.changelog.template_dir).expanduser().resolve().absolute()
+        )
 
         # Prevent path traversal attacks
         if raw.repo_dir not in template_dir.parents:
