Fixed High-severity path traversal vulnerability (CWE-22)

[Aryan-Agarwal-creator]

Description

This PR fixes a high-severity path traversal vulnerability (CWE-22) in the create-termui-app scaffolding tool. The fix introduces strict project name validation, defensive path validation, and comprehensive test coverage to prevent arbitrary file writes outside the intended project directory while preserving existing functionality.

Related Issue

Closes #707

Which package(s)?

• packages/create-termui-app

Type of Change

• 🐛 Bug fix (type:bug)
• 🧪 Tests (type:testing)
• 🔒 Security (type:security)

Checklist

• ⭐ You starred the repo. The needs-star check blocks your merge otherwise.
• Tests pass locally: bun vitest run
• Build passes: bun run build
• Typecheck passes: bun run typecheck
• You read [CONTRIBUTING.md](https://chatgpt.com/c/CONTRIBUTING.md).
• Your PR title follows type: short description.
• Widget state mutators call markDirty() (if your change affects rendering).
• No new any types without an inline comment explaining why.
• No unrelated refactors bundled into this PR.

GSSoC 2026 Participation

• You are a GSSoC 2026 contributor.
• Your GSSoC profile: https://gssoc.girlscript.org/profile/____

Screenshots / Recordings (UI changes)

N/A – Security and validation changes only.

Notes for the Reviewer

Security Improvements

• Added validateProjectName() to enforce a whitelist-based naming policy.

• Added validateResolvedPath() as a defensive check against path traversal attempts.

• Validation now runs before any filesystem operations are performed.

• Prevents directory traversal attacks such as:

  • ../evil
  • ../../etc/passwd
  • Absolute paths
  • Invalid package names

Validation Rules

Allowed:

• my-app
• project_1
• termui-demo

Rejected:

• ../evil
• /etc/passwd
• MyApp
• hello world
• project$

Files Added

• validate.ts
• validate.test.ts

Files Modified

• packages/create-termui-app/src/index.ts

Test Coverage

• Added 27 new validation-focused test cases.
• Covers valid names, invalid names, traversal attempts, and path validation edge cases.

Verification

• ✅ Build successful
• ✅ Typecheck successful
• ✅ All tests passing (1894/1894)
• ✅ No breaking changes
• ✅ Existing scaffold behavior preserved for valid project names

Summary by CodeRabbit

• Bug Fixes

  • Enhanced project name validation to prevent path traversal attacks and reject absolute paths.
  • Validation now executes earlier in the project creation flow before any filesystem operations.

• Tests

  • Added comprehensive test coverage for input validation, including edge cases and security scenarios.

[github-actions]

Hi @Aryan-Agarwal-creator 👋

⭐ Star this repo before your PR merges.

Why? GSSoC 2026 contributors who star get priority review and points credit. After you star, push any commit (or re-run this check). The needs-star label lifts automatically.

Thanks for your contribution to TermUI.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR adds input validation to prevent path traversal attacks in the create-termui-app scaffold. Two security helper functions validate project names against allowed characters and path patterns, then check that resolved paths stay within the current directory. Integration applies these checks in both interactive and non-interactive creation flows before any filesystem operations.

Changes

Project Name Validation for Security

Layer / File(s)	Summary
Validation functions and regex packages/create-termui-app/src/validate.ts, packages/create-termui-app/src/validate.test.ts	VALID_NAME_RE regex constrains project names to lowercase alphanumeric characters, hyphens, and underscores. validateProjectName rejects non-strings, empty names, absolute paths (/, \), path traversal sequences (..), and invalid characters. validateResolvedPath defensively ensures the resolved path remains within the cwd using prefix comparison. Tests cover valid inputs with whitespace trimming and extensive invalid cases (traversal, absolute paths, separators, bad characters, bad starting characters, and type mismatches).
Validation integration in creation flows packages/create-termui-app/src/index.ts	Import validateProjectName and apply it in non-interactive mode (line 61–63) and interactive mode (line 124–126) immediately before filesystem operations. Remove non-null assertions (projectName!) from config assignment (line 144) and path resolution (line 154) since validation now guarantees the name is defined.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• #707: This PR directly implements path-traversal validation by adding validateProjectName and validateResolvedPath functions and calling them before filesystem operations in both creation modes.
• #705: The validation logic prevents unsanitized project names and path-traversal attacks during project creation, addressing the security bug described in this issue.

Poem

🐰 A rabbit hops with careful grace,
Validating paths in every place,
No traversals shall slip on through,
Security checks, tried and true—
Safe scaffolds now, for me and you! 🛡️

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title directly and clearly describes the main security change: fixing a path traversal vulnerability (CWE-22). It matches the primary objective and all code changes.
Description check	✅ Passed	The PR description comprehensively covers all required template sections with detailed security improvements, validation rules, test coverage, and verification results.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🎉 Thanks for your first PR to TermUI, @Aryan-Agarwal-creator.

Before your PR merges:

1. ⭐ Star the repo. Required. The star-check job blocks your merge otherwise.
2. ✅ All checks green: build, test, typecheck.
3. 🏷 PR title follows type: short description. Example: fix: handle empty list.
4. 🔗 Link your closing issue in the description.

GSSoC 2026 points come from labels after merge:

• gssoc:approved. +50 base points.
• level:beginner / intermediate / advanced / critical. +20 / +35 / +55 / +80.
• quality:clean / exceptional. x 1.2 / x 1.5.
• type:*. Stackable bonus.

Your reviewer responds within 48 hours. Ping @Karanjot786 on Discord for urgent help.

🚀 Welcome to the cohort.

[Aryan-Agarwal-creator]

Already Stared the Repo

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

packages/create-termui-app/src/validate.test.ts (1)

172-183: ⚡ Quick win

Add rejection-path tests for validateResolvedPath (escape attempts and Windows-style separators).

Current coverage is happy-path only; this helper is security-critical and should assert that escape cases throw.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/create-termui-app/src/validate.test.ts` around lines 172 - 183, Add
negative tests for validateResolvedPath to assert it throws on path-escaping and
Windows-style separator inputs: call validateResolvedPath(cwd, "../evil") and
validateResolvedPath(cwd, "..\\evil") and expect them to throw, also test inputs
containing backslashes like "some\\name" and absolute/escape variants such as
"/absolute/path" and "my-app/../evil" to ensure validateResolvedPath rejects
path-traversal and Windows-style separators; place these new it(...) cases
alongside the existing describe("validateResolvedPath") tests referencing the
validateResolvedPath function.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/create-termui-app/src/index.ts`:
- Line 15: The code calls validateProjectName but never invokes
validateResolvedPath, so add a call to validateResolvedPath(resolvedPath) before
any filesystem writes in both flows (the interactive and non-interactive project
creation paths) to ensure the resolved path is safe; specifically, call
validateResolvedPath immediately after resolving the target directory and before
invoking any functions that write files (e.g., before template copy/write
operations or before writeProject/writeFiles logic), keeping validateProjectName
checks intact.

In `@packages/create-termui-app/src/validate.test.ts`:
- Around line 159-163: Remove the unnecessary "as unknown" casts in the tests
that call validateProjectName (e.g., replace validateProjectName(123 as unknown)
and validateProjectName({} as unknown) with direct calls
validateProjectName(123) and validateProjectName({})) and keep the existing
expect(...).toThrow(/required/) assertions; then add negative-path tests for
validateResolvedPath that assert it throws when the resolved path escapes the
current working directory (e.g., inputs like ".." or a path that resolves
outside cwd) using the existing test patterns so the new tests check for the
expected error/regex.

In `@packages/create-termui-app/src/validate.ts`:
- Around line 71-73: The current containment check in validateResolvedPath uses
resolved.startsWith(cwdNorm + "/") which is separator-specific and breaks on
Windows; replace that startsWith logic with a path.relative-based containment
check: compute const rel = path.relative(cwdNorm, resolved) and treat the path
as inside the cwd when rel === "" (exact match) or when rel does not start with
".." (use ".." + path.sep check to be safe) — update the conditional that
references resolved, cwdNorm, and startsWith to use this path.relative approach
so the function is separator-agnostic and Windows-safe.

---

Nitpick comments:
In `@packages/create-termui-app/src/validate.test.ts`:
- Around line 172-183: Add negative tests for validateResolvedPath to assert it
throws on path-escaping and Windows-style separator inputs: call
validateResolvedPath(cwd, "../evil") and validateResolvedPath(cwd, "..\\evil")
and expect them to throw, also test inputs containing backslashes like
"some\\name" and absolute/escape variants such as "/absolute/path" and
"my-app/../evil" to ensure validateResolvedPath rejects path-traversal and
Windows-style separators; place these new it(...) cases alongside the existing
describe("validateResolvedPath") tests referencing the validateResolvedPath
function.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 49cf55c4-6526-4f58-be5c-129358a42cc1

📥 Commits

Reviewing files that changed from the base of the PR and between c36cc8c and c0545be.

⛔ Files ignored due to path filters (1)

• bun.lock is excluded by !**/*.lock

📒 Files selected for processing (3)

• packages/create-termui-app/src/index.ts
• packages/create-termui-app/src/validate.test.ts
• packages/create-termui-app/src/validate.ts

[Karanjot786]

Review: validateResolvedPath not called

In packages/create-termui-app/src/index.ts at line 15, validateResolvedPath is defined but never called.

Add the call immediately after resolving the project directory, before any file writes:

const projectDir = resolve(process.cwd(), projectName);
validateResolvedPath(projectDir); // validate before writing

Do this in both the interactive and non-interactive flows.