Skip to content

fix(validators): reject certain paths from being used#17330

Merged
nijel merged 1 commit into
WeblateOrg:mainfrom
nijel:validate-filename
Dec 16, 2025
Merged

fix(validators): reject certain paths from being used#17330
nijel merged 1 commit into
WeblateOrg:mainfrom
nijel:validate-filename

Conversation

@nijel

@nijel nijel commented Dec 16, 2025

Copy link
Copy Markdown
Member

Restrict based on the translation-finder blacklist which covers files we do not want to touch.

@nijel nijel added this to the 5.15.1 milestone Dec 16, 2025
@nijel nijel self-assigned this Dec 16, 2025
@nijel nijel requested a review from Copilot December 16, 2025 07:26
Copilot AI reviewed Dec 16, 2025
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds validation to reject filenames that start with directories from the translation-finder blacklist (such as .git, .svn, etc.). The goal is to prevent potentially dangerous file paths from being used in Weblate's file handling operations, aligning with the existing is_excluded function used for zip extraction.

Key Changes:

  • Imports EXCLUDES from translation_finder.finder to use as a path exclusion list
  • Adds a validation check in validate_filename to reject paths starting with prohibited folders
  • Adds a test case to verify .git/config is rejected

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
weblate/utils/validators.py Imports EXCLUDES and adds validation logic to reject filenames starting with prohibited folders
weblate/utils/tests/test_validators.py Adds test case verifying that .git/config raises a ValidationError

Comment thread weblate/utils/validators.py Outdated
Comment thread weblate/utils/validators.py Outdated
Comment thread weblate/utils/tests/test_validators.py
nijel
nijel commented Dec 16, 2025
View reviewed changes
Comment thread weblate/utils/tests/test_validators.py
@nijel nijel force-pushed the validate-filename branch from a3d3bcb to d865984 Compare December 16, 2025 12:19
@nijel
fix(validators): reject certain paths from being used
0e8e80c 
Restrict based on the translation-finder blacklist which covers files we
do not want to touch.
@nijel nijel force-pushed the validate-filename branch from d865984 to 0e8e80c Compare December 16, 2025 12:20
@nijel nijel requested a review from Copilot December 16, 2025 12:20
Copilot AI reviewed Dec 16, 2025
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.

@nijel nijel enabled auto-merge (rebase) December 16, 2025 13:01
@nijel nijel merged commit 4837a41 into WeblateOrg:main Dec 16, 2025
55 checks passed
@nijel nijel deleted the validate-filename branch December 16, 2025 13:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@nijel nijel

Labels

None yet

Projects

None yet

Milestone

5.15.1

Development

Successfully merging this pull request may close these issues.

2 participants

@nijel