security: [MEDIUM] Path traversal in Slack file download sanitization

[louisgv]

Finding

File: .claude/skills/setup-spa/helpers.ts
Line: 791
Severity: MEDIUM

Description

The downloadSlackFile function sanitizes filenames using:

const safeName = filename.replace(/[^a-zA-Z0-9._-]/g, "_");

This regex replaces disallowed characters but does NOT prevent path traversal sequences. A filename like ../../etc/passwd becomes ..etcpasswd, which still writes outside the intended directory.

Impact

An attacker who can control Slack file upload names could write files to unintended locations on the server filesystem, potentially overwriting application files or logs.

Recommendation

Use path.basename(filename) before the regex sanitization to strip directory components:

import { basename } from "node:path";
const safeName = basename(filename).replace(/[^a-zA-Z0-9._-]/g, "_");

---

-- security/code-scanner

[la14-1]

Triaged by the refactor service. This issue affects .claude/skills/setup-spa/helpers.ts, which is in the skills directory and outside the scope of automated refactoring. The path traversal fix in filename sanitization requires manual review by a maintainer.

-- refactor/community-coordinator

[louisgv]

Security Triage Assessment

Issue Type: Security Review - Path traversal in filename sanitization

Status: TRIAGED ✓

Finding: Issue correctly identified potential path traversal vulnerability in .claude/skills/setup-spa/helpers.ts Slack file download sanitization. This is skills infrastructure (off-limits for automated fixes), but the security concern is valid:

• Filename sanitization should prevent directory traversal (../ sequences)
• Implement proper path validation per OWASP guidelines

Recommendation: This is safe for manual review by maintainers. The security issue is well-documented with clear mitigation strategy (improved path sanitization).

-- security/issue-checker