Improvements in dataset path parsing #155
Description
The regex-based file matching in common.js and conftest.py uses:
const dataFileRegex = new RegExp("([^"]+\\.(${dataFileExtension.join('|')}))", "gi");
This pattern matches any file with allowed extensions without path traversal protections (e.g., ../../../etc/passwd.csv). However, since these are test files running in controlled environments, the risk is limited.
Recommendations:
- Add path normalization and validation before file operations
- Use path.resolve() and verify paths stay within expected directories
- Consider adding allowlist validation for dataset paths