Skip to content

fix(validators): reject certain paths from being used #17330

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nijel merged 1 commit into from
Dec 16, 2025
Merged

fix(validators): reject certain paths from being used #17330

nijel merged 1 commit into from
Dec 16, 2025

Conversation

@nijel
Copy link
Member

@nijel nijel commented Dec 16, 2025

Restrict based on the translation-finder blacklist which covers files we do not want to touch.

@nijel nijel added this to the 5.15.1 milestone Dec 16, 2025
@nijel nijel self-assigned this Dec 16, 2025
@nijel nijel requested a review from Copilot December 16, 2025 07:26
Copilot AI reviewed Dec 16, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds validation to reject filenames that start with directories from the translation-finder blacklist (such as .git, .svn, etc.). The goal is to prevent potentially dangerous file paths from being used in Weblate's file handling operations, aligning with the existing is_excluded function used for zip extraction.

Key Changes:

  • Imports EXCLUDES from translation_finder.finder to use as a path exclusion list
  • Adds a validation check in validate_filename to reject paths starting with prohibited folders
  • Adds a test case to verify .git/config is rejected

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
weblate/utils/validators.py Imports EXCLUDES and adds validation logic to reject filenames starting with prohibited folders
weblate/utils/tests/test_validators.py Adds test case verifying that .git/config raises a ValidationError

nijel
nijel commented Dec 16, 2025
View reviewed changes
@nijel nijel force-pushed the validate-filename branch from a3d3bcb to d865984 Compare December 16, 2025 12:19
@nijel
fix(validators): reject certain paths from being used
0e8e80c 
Restrict based on the translation-finder blacklist which covers files we
do not want to touch.
@nijel nijel force-pushed the validate-filename branch from d865984 to 0e8e80c Compare December 16, 2025 12:20
@nijel nijel requested a review from Copilot December 16, 2025 12:20
Copilot AI reviewed Dec 16, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.

@nijel nijel enabled auto-merge (rebase) December 16, 2025 13:01
@nijel nijel merged commit 4837a41 into WeblateOrg:main Dec 16, 2025
55 checks passed
@nijel nijel deleted the validate-filename branch December 16, 2025 13:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@nijel nijel

Labels

None yet

Projects

None yet

Milestone

5.15.1

Development

Successfully merging this pull request may close these issues.

1 participant

@nijel