Add a comment to hint why we clean the directories (#11272)

dependabot · Jan 10, 2025 · 768ddde · 768ddde
1 parent 3963a3f
commit 768ddde
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/updater/lib/dependabot/job.rb b/updater/lib/dependabot/job.rb
@@ -428,6 +428,7 @@ def build_update_strategy(requirements_update_strategy:, lockfile_only:)
     sig { params(source_details: T::Hash[String, T.untyped]).returns(Dependabot::Source) }
     def build_source(source_details)
       # Immediately normalize the source directory, ensure it starts with a "/"
+      # Uses Pathname#cleanpath to prevent users from maliciously using paths like ../.. to access other directories.
       directory, directories = clean_directories(source_details)
 
       Dependabot::Source.new(