diff --git a/docs/src/content/docs/enterprise/security.md b/docs/src/content/docs/enterprise/security.md index 734069426..027f6ee83 100644 --- a/docs/src/content/docs/enterprise/security.md +++ b/docs/src/content/docs/enterprise/security.md @@ -165,13 +165,20 @@ APM deploys files only to controlled subdirectories within the project root. ### Path traversal prevention -All deploy paths are validated before any file operation: +APM validates paths at two layers: repository URL parsing and file deployment. + +**Repository URL validation** — traversal sequences are rejected before any network operation: + +- Dependency strings (shorthand, HTTPS, SSH-style `git@host:owner/repo.git`) are parsed and each path segment is checked for `.` and `..` sequences. +- An SSH-style URL like `git@github.com:owner/../../../etc/passwd.git` is rejected at parse time, before any clone or fetch is attempted. + +**Deploy path validation** — all target paths are validated before any file operation: 1. **No `..` segments.** Any path containing `..` is rejected outright. 2. **Allowed prefixes only.** Paths must start with an allowed prefix (`.github/`, `.claude/`, `.cursor/`, or `.opencode/`). 3. **Resolution containment.** The fully resolved path must remain within the project root directory. -A path must pass all three checks. Failure on any check prevents the file from being written. +A deploy path must pass all three checks. Failure on any check prevents the file from being written. ### Symlink handling diff --git a/docs/src/content/docs/guides/dependencies.md b/docs/src/content/docs/guides/dependencies.md index 7134dc01d..f5e9da332 100644 --- a/docs/src/content/docs/guides/dependencies.md +++ b/docs/src/content/docs/guides/dependencies.md @@ -30,7 +30,7 @@ APM supports multiple dependency types: | **Virtual Subdirectory Package** | Folder path in monorepo | `ComposioHQ/awesome-claude-skills/mcp-builder` | | **Virtual Subdirectory Package** | Folder path in repo | `github/awesome-copilot/skills/review-and-refactor` | | **Local Path Package** | Path starts with `./`, `../`, or `/` | `./packages/my-shared-skills` | -| **ADO Package** | Azure DevOps repo | `dev.azure.com/org/project/_git/repo` or `dev.azure.com/org/My%20Project/_git/My%20Repo` | +| **ADO Package** | Azure DevOps repo | `dev.azure.com/org/project/_git/repo` or `dev.azure.com/org/My%20Project/_git/My%20Repo` (spaces and `%20`-encoding both accepted) | **Virtual Subdirectory Packages** are skill folders from monorepos - they download an entire folder and may contain a SKILL.md plus resources.