Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: basecamp/fizzy-cli
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v2.5.0
Choose a base ref
...
head repository: basecamp/fizzy-cli
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v2.5.1
Choose a head ref
  • 2 commits
  • 2 files changed
  • 1 contributor

Commits on Jan 24, 2026

  1. fix: prevent path traversal in attachment downloads 

    Sanitize filename using filepath.Base() to prevent malicious server
responses from writing files to arbitrary locations on the filesystem.

While Fizzy's API is trusted, this follows defense-in-depth principles
by ensuring the CLI never writes outside the current directory regardless
of what filename the server returns.

Adds comprehensive unit tests covering various path traversal attempts.
    @robzolkos
    robzolkos committed Jan 24, 2026
    Configuration menu
    Copy the full SHA
    53c091b View commit details
    Browse the repository at this point in the history

  2. Merge pull request #47 from robzolkos/fix-attachment-path-traversal 

    Prevent path traversal in attachment downloads
    @robzolkos
    robzolkos authored Jan 24, 2026
    Configuration menu
    Copy the full SHA
    418b0f6 View commit details
    Browse the repository at this point in the history
Loading