From e3778b730990e54e66c4bf31fe64d27bd0e5daac Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Fri, 13 Mar 2026 12:13:46 +0000
Subject: [PATCH] fix: prevent path traversal in bibtex-compatibility.py

This commit addresses a security vulnerability where unvalidated command line
input could lead to potential path traversal. The script now:
- Checks if the required command-line argument is provided.
- Uses `os.path.basename()` to sanitize the input database name, ensuring
  that it cannot be used to access files outside the current directory.
- Gracefully exits with a usage message if arguments are missing.

Co-authored-by: k4rtik <374340+k4rtik@users.noreply.github.com>
---
 bibtex-compatibility.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/bibtex-compatibility.py b/bibtex-compatibility.py
index eb47b95d..881b98c8 100755
--- a/bibtex-compatibility.py
+++ b/bibtex-compatibility.py
@@ -2,6 +2,7 @@
 # Original source: https://github.com/jonsterling/bibtex-references
 # Modified by Kartik for use in qpl-bib
 
+import os
 import re
 import sys
 
@@ -20,7 +21,11 @@
   12: "dec"
 }
 
-db_name = sys.argv[1]
+if len(sys.argv) < 2:
+    print("Usage: python3 bibtex-compatibility.py <db_name>")
+    sys.exit(1)
+
+db_name = os.path.basename(sys.argv[1])
 
 old_db = open(db_name + ".bib","r")
 new_db = open("bibtex.bib","w")