From 48abb922c043b455e7f34a7aa76570da512c3196 Mon Sep 17 00:00:00 2001
From: "aikido-autofix[bot]"
 <119856028+aikido-autofix[bot]@users.noreply.github.com>
Date: Thu, 22 Jan 2026 15:24:35 +0000
Subject: [PATCH] fix(security): autofix Path traversal attack possible

---
 crates/bin/ampup/src/version_manager.rs | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/crates/bin/ampup/src/version_manager.rs b/crates/bin/ampup/src/version_manager.rs
index dfef6a286..3003df7f9 100644
--- a/crates/bin/ampup/src/version_manager.rs
+++ b/crates/bin/ampup/src/version_manager.rs
@@ -123,6 +123,12 @@ impl VersionManager {
         if ampd_active_path.exists() || ampd_active_path.is_symlink() {
             fs::remove_file(&ampd_active_path).context("Failed to remove existing ampd symlink")?;
         }
+        // Prevent path traversal attacks by rejecting paths containing '..'
+        if ampd_binary_path.components().any(|c| c == std::path::Component::ParentDir) || 
+           ampd_active_path.components().any(|c| c == std::path::Component::ParentDir) {
+            return Err(anyhow::anyhow!("Invalid input: {}, {}", 
+                ampd_binary_path.display(), ampd_active_path.display()));
+        }
         symlink(&ampd_binary_path, &ampd_active_path).context("Failed to create ampd symlink")?;
 
         // Handle ampctl symlink