Skip to content

chore(agents): Add security-review skill to agent configuration #5498

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ericapisani merged 1 commit into from
Feb 24, 2026

chore(agents): Add security-review skill to agent configuration

3d8366c
Select commit
Loading
Failed to load commit list.
Sign in for the full log view
Merged

chore(agents): Add security-review skill to agent configuration #5498

chore(agents): Add security-review skill to agent configuration
3d8366c
Select commit
Loading
Failed to load commit list.
GitHub Actions / warden: find-bugs completed Feb 20, 2026 in 6m 54s

1 issue

find-bugs: Found 1 issue (1 medium)

Medium

Path traversal prevention example can be bypassed with sibling directory names - `.agents/skills/security-review/references/file-security.md:38`

The safe_join function example uses str(target).startswith(str(base)) to verify the resolved path is under the base directory. This check is flawed: if base is /uploads and an attacker crafts a path resolving to /uploads_malicious/file, the startswith check passes because /uploads_malicious.startswith(/uploads) is True. Developers copying this security guidance may inadvertently introduce path traversal vulnerabilities.

Also found at:

  • .agents/skills/security-review/references/modern-threats.md:373
  • .agents/skills/security-review/references/modern-threats.md:334

Duration: 410.6s · Tokens: 1.0M in / 16.4k out · Cost: $2.53 (+extraction: $0.00, +merge: $0.00)

Annotations

Check warning on line 38 in .agents/skills/security-review/references/file-security.md

See this annotation in the file changed.

@github-actions github-actions / warden: find-bugs

Path traversal prevention example can be bypassed with sibling directory names 

The `safe_join` function example uses `str(target).startswith(str(base))` to verify the resolved path is under the base directory. This check is flawed: if base is `/uploads` and an attacker crafts a path resolving to `/uploads_malicious/file`, the startswith check passes because `/uploads_malicious`.startswith(`/uploads`) is True. Developers copying this security guidance may inadvertently introduce path traversal vulnerabilities.

Check warning on line 373 in .agents/skills/security-review/references/modern-threats.md

See this annotation in the file changed.

@github-actions github-actions / warden: find-bugs

[RVP-GBQ] Path traversal prevention example can be bypassed with sibling directory names (additional location) 

The `safe_join` function example uses `str(target).startswith(str(base))` to verify the resolved path is under the base directory. This check is flawed: if base is `/uploads` and an attacker crafts a path resolving to `/uploads_malicious/file`, the startswith check passes because `/uploads_malicious`.startswith(`/uploads`) is True. Developers copying this security guidance may inadvertently introduce path traversal vulnerabilities.

Check warning on line 334 in .agents/skills/security-review/references/modern-threats.md

See this annotation in the file changed.

@github-actions github-actions / warden: find-bugs

[RVP-GBQ] Path traversal prevention example can be bypassed with sibling directory names (additional location) 

The `safe_join` function example uses `str(target).startswith(str(base))` to verify the resolved path is under the base directory. This check is flawed: if base is `/uploads` and an attacker crafts a path resolving to `/uploads_malicious/file`, the startswith check passes because `/uploads_malicious`.startswith(`/uploads`) is True. Developers copying this security guidance may inadvertently introduce path traversal vulnerabilities.
View more details on GitHub Actions