block /add of files from outside coder.root #178

2025-05-29 16:54:59 +00:00 · 2023-09-29 13:27:43 -07:00 · 2023-09-29 13:27:43 -07:00 · 399d86d437
commit 399d86d437
parent 5d7e44082e
2 changed files with 52 additions and 1 deletions
--- a/aider/commands.py
+++ b/aider/commands.py
@ -296,6 +296,12 @@ class Commands:
        for matched_file in all_matched_files:
            abs_file_path = self.coder.abs_root_path(matched_file)

+            if not abs_file_path.startswith(self.coder.root):
+                self.io.tool_error(
+                    f"Can not add {abs_file_path}, which is not within {self.coder.root}"
+                )
+                continue
+
            if self.coder.repo and matched_file not in git_files:
                self.coder.repo.repo.git.add(abs_file_path)
                git_added.append(matched_file)
--- a/tests/test_commands.py
+++ b/tests/test_commands.py
@ -14,7 +14,7 @@ from aider.coders import Coder
 from aider.commands import Commands
 from aider.dump import dump  # noqa: F401
 from aider.io import InputOutput
-from tests.utils import GitTemporaryDirectory
+from tests.utils import ChdirTemporaryDirectory, GitTemporaryDirectory, make_repo


 class TestCommands(TestCase):
@ -295,3 +295,48 @@ class TestCommands(TestCase):
            # this was blowing up with GitCommandError, per:
            # https://github.com/paul-gauthier/aider/issues/201
            commands.cmd_add("temp.txt")
+
+    def test_cmd_add_from_outside_root(self):
+        with ChdirTemporaryDirectory() as tmp_dname:
+            root = Path("root")
+            root.mkdir()
+            os.chdir(str(root))
+
+            io = InputOutput(pretty=False, yes=False)
+            from aider.coders import Coder
+
+            coder = Coder.create(models.GPT35, None, io)
+            commands = Commands(io, coder)
+
+            outside_file = Path(tmp_dname) / "outside.txt"
+            outside_file.touch()
+
+            # This should not be allowed!
+            # https://github.com/paul-gauthier/aider/issues/178
+            commands.cmd_add("../outside.txt")
+
+            self.assertEqual(len(coder.abs_fnames), 0)
+
+    def test_cmd_add_from_outside_git(self):
+        with ChdirTemporaryDirectory() as tmp_dname:
+            root = Path("root")
+            root.mkdir()
+            os.chdir(str(root))
+
+            make_repo()
+
+            io = InputOutput(pretty=False, yes=False)
+            from aider.coders import Coder
+
+            coder = Coder.create(models.GPT35, None, io)
+            commands = Commands(io, coder)
+
+            outside_file = Path(tmp_dname) / "outside.txt"
+            outside_file.touch()
+
+            # This should not be allowed!
+            # It was blowing up with GitCommandError, per:
+            # https://github.com/paul-gauthier/aider/issues/178
+            commands.cmd_add("../outside.txt")
+
+            self.assertEqual(len(coder.abs_fnames), 0)