Fix PathHelpers security vulnerability and add build/lint scripts

Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com>
demaconsulting · Malcolmnixon · Feb 11, 2026 · Feb 11, 2026 · Feb 11, 2026 · Feb 11, 2026
commit c7f7e2a0d8f77ed588fc71664aa72f4e2dbc5446
diff --git a/build.bat b/build.bat
@@ -0,0 +1,16 @@
+@echo off
+setlocal
+
+REM Restore dependencies
+dotnet restore
+if errorlevel 1 exit /b 1
+
+REM Build the project
+dotnet build --configuration Release
+if errorlevel 1 exit /b 1
+
+REM Run tests
+dotnet test --configuration Release
+if errorlevel 1 exit /b 1
+
+echo Build completed successfully!
diff --git a/build.sh b/build.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+set -e
+
+# Restore dependencies
+dotnet restore
+
+# Build the project
+dotnet build --configuration Release
+
+# Run tests
+dotnet test --configuration Release
diff --git a/lint.bat b/lint.bat
@@ -0,0 +1,16 @@
+@echo off
+setlocal
+
+REM Run markdown linter
+call npx markdownlint-cli2 "**/*.md"
+if errorlevel 1 exit /b 1
+
+REM Run spell checker
+call npx cspell "**/*.{md,cs}"
+if errorlevel 1 exit /b 1
+
+REM Run YAML linter
+call yamllint .
+if errorlevel 1 exit /b 1
+
+echo Linting completed successfully!
diff --git a/lint.sh b/lint.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+set -e
+
+# Run markdown linter
+npx markdownlint-cli2 "**/*.md"
+
+# Run spell checker
+npx cspell "**/*.{md,cs}"
+
+# Run YAML linter
+yamllint .
diff --git a/src/DemaConsulting.BuildMark/PathHelpers.cs b/src/DemaConsulting.BuildMark/PathHelpers.cs
@@ -44,6 +44,19 @@ internal static string SafePathCombine(string basePath, string relativePath)
         // 1. relativePath doesn't contain ".." (path traversal)
         // 2. relativePath is not an absolute path (IsPathRooted check)
         // This ensures the combined path will always be under basePath
-        return Path.Combine(basePath, relativePath);
+        var combinedPath = Path.Combine(basePath, relativePath);
+
+        // Additional security validation: ensure the combined path is still under the base path.
+        // This defense-in-depth approach protects against edge cases that might bypass the
+        // initial validation, ensuring the final path stays within the intended directory.
+        var fullBasePath = Path.GetFullPath(basePath);
+        var fullCombinedPath = Path.GetFullPath(combinedPath);
+
+        if (!fullCombinedPath.StartsWith(fullBasePath, StringComparison.OrdinalIgnoreCase))
+        {
+            throw new ArgumentException($"Invalid path component: {relativePath}", nameof(relativePath));
+        }
+
+        return combinedPath;
     }
 }