security: sanitize user input in temp directory names (#411)

cfsmp3 · claude · web-flow · commit 08d3d28977a8 · 2026-01-20T02:13:16.000+05:30
Replace direct use of email in temp directory names with a SHA256 hash
to prevent directory traversal attacks.

- Add utils/sanitize.go with SafeTempDirPrefix() function
- Use 8-character hash of email instead of raw email
- Update all tw/*.go files to use SafeTempDirPrefix

This prevents potential path traversal if user-controlled email
contains special characters like path separators.

Co-authored-by: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/backend/utils/sanitize.go b/backend/utils/sanitize.go
@@ -0,0 +1,19 @@
+package utils
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+)
+
+// SafeTempDirPrefix creates a safe prefix for temporary directory names.
+// Instead of using user-provided values directly (which could contain path
+// separators or special characters), we use a hash of the value.
+// This prevents directory traversal attacks while still providing
+// unique prefixes per user.
+func SafeTempDirPrefix(prefix, userIdentifier string) string {
+	// Create a short hash of the user identifier
+	hash := sha256.Sum256([]byte(userIdentifier))
+	// Use first 8 characters of hex-encoded hash (32 bits of entropy)
+	shortHash := hex.EncodeToString(hash[:])[:8]
+	return prefix + shortHash
+}
diff --git a/backend/utils/tw/add_task.go b/backend/utils/tw/add_task.go
@@ -14,7 +14,7 @@ func AddTaskToTaskwarrior(req models.AddTaskRequestBody, dueDate string) error {
 		return fmt.Errorf("error deleting Taskwarrior data: %v", err)
 	}
 
-	tempDir, err := os.MkdirTemp("", "taskwarrior-"+req.Email)
+	tempDir, err := os.MkdirTemp("", utils.SafeTempDirPrefix("taskwarrior-", req.Email))
 	if err != nil {
 		return fmt.Errorf("failed to create temporary directory: %v", err)
 	}
diff --git a/backend/utils/tw/complete_task.go b/backend/utils/tw/complete_task.go
@@ -10,7 +10,7 @@ func CompleteTaskInTaskwarrior(email, encryptionSecret, uuid, taskuuid string) e
 	if err := utils.ExecCommand("rm", "-rf", "/root/.task"); err != nil {
 		return fmt.Errorf("error deleting Taskwarrior data: %v", err)
 	}
-	tempDir, err := os.MkdirTemp("", "taskwarrior-"+email)
+	tempDir, err := os.MkdirTemp("", utils.SafeTempDirPrefix("taskwarrior-", email))
 	if err != nil {
 		return fmt.Errorf("failed to create temporary directory: %v", err)
 	}
diff --git a/backend/utils/tw/complete_tasks.go b/backend/utils/tw/complete_tasks.go
@@ -13,7 +13,7 @@ func CompleteTasksInTaskwarrior(email, encryptionSecret, uuid string, taskUUIDs
 		return nil, fmt.Errorf("error deleting Taskwarrior data: %v", err)
 	}
 
-	tempDir, err := os.MkdirTemp("", "taskwarrior-"+email)
+	tempDir, err := os.MkdirTemp("", utils.SafeTempDirPrefix("taskwarrior-", email))
 
 	if err != nil {
 		return nil, fmt.Errorf("failed to create temporary directory: %v", err)
diff --git a/backend/utils/tw/delete_task.go b/backend/utils/tw/delete_task.go
@@ -10,7 +10,7 @@ func DeleteTaskInTaskwarrior(email, encryptionSecret, uuid, taskuuid string) err
 	if err := utils.ExecCommand("rm", "-rf", "/root/.task"); err != nil {
 		return fmt.Errorf("error deleting Taskwarrior data: %v", err)
 	}
-	tempDir, err := os.MkdirTemp("", "taskwarrior-"+email)
+	tempDir, err := os.MkdirTemp("", utils.SafeTempDirPrefix("taskwarrior-", email))
 	if err != nil {
 		return fmt.Errorf("failed to create temporary directory: %v", err)
 	}
diff --git a/backend/utils/tw/delete_tasks.go b/backend/utils/tw/delete_tasks.go
@@ -13,7 +13,7 @@ func DeleteTasksInTaskwarrior(email, encryptionSecret, uuid string, taskUUIDs []
 		return nil, fmt.Errorf("error deleting Taskwarrior data: %v", err)
 	}
 
-	tempDir, err := os.MkdirTemp("", "taskwarrior-"+email)
+	tempDir, err := os.MkdirTemp("", utils.SafeTempDirPrefix("taskwarrior-", email))
 
 	if err != nil {
 		return nil, fmt.Errorf("failed to create temporary directory: %v", err)
diff --git a/backend/utils/tw/edit_task.go b/backend/utils/tw/edit_task.go
@@ -13,7 +13,7 @@ func EditTaskInTaskwarrior(uuid, description, email, encryptionSecret, taskID st
 	if err := utils.ExecCommand("rm", "-rf", "/root/.task"); err != nil {
 		return fmt.Errorf("error deleting Taskwarrior data: %v", err)
 	}
-	tempDir, err := os.MkdirTemp("", "taskwarrior-"+email)
+	tempDir, err := os.MkdirTemp("", utils.SafeTempDirPrefix("taskwarrior-", email))
 	if err != nil {
 		return fmt.Errorf("failed to create temporary directory: %v", err)
 	}
diff --git a/backend/utils/tw/fetch_tasks.go b/backend/utils/tw/fetch_tasks.go
@@ -14,7 +14,7 @@ func FetchTasksFromTaskwarrior(email, encryptionSecret, origin, UUID string) ([]
 		return nil, fmt.Errorf("error deleting Taskwarrior data: %v", err)
 	}
 
-	tempDir, err := os.MkdirTemp("", "taskwarrior-"+email)
+	tempDir, err := os.MkdirTemp("", utils.SafeTempDirPrefix("taskwarrior-", email))
 	if err != nil {
 		return nil, fmt.Errorf("failed to create temporary directory: %v", err)
 	}
diff --git a/backend/utils/tw/modify_task.go b/backend/utils/tw/modify_task.go
@@ -11,7 +11,7 @@ func ModifyTaskInTaskwarrior(uuid, description, project, priority, status, due,
 	if err := utils.ExecCommand("rm", "-rf", "/root/.task"); err != nil {
 		return fmt.Errorf("error deleting Taskwarrior data: %v", err)
 	}
-	tempDir, err := os.MkdirTemp("", "taskwarrior-"+email)
+	tempDir, err := os.MkdirTemp("", utils.SafeTempDirPrefix("taskwarrior-", email))
 	if err != nil {
 		return fmt.Errorf("failed to create temporary directory: %v", err)
 	}

Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@ func AddTaskToTaskwarrior(req models.AddTaskRequestBody, dueDate string) error {`
`14`	`14`	`return fmt.Errorf("error deleting Taskwarrior data: %v", err)`
`15`	`15`	`}`
`16`	`16`
`17`		`- tempDir, err := os.MkdirTemp("", "taskwarrior-"+req.Email)`
	`17`	`+ tempDir, err := os.MkdirTemp("", utils.SafeTempDirPrefix("taskwarrior-", req.Email))`
`18`	`18`	`if err != nil {`
`19`	`19`	`return fmt.Errorf("failed to create temporary directory: %v", err)`
`20`	`20`	`}`
Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@ func CompleteTaskInTaskwarrior(email, encryptionSecret, uuid, taskuuid string) e`
`10`	`10`	`if err := utils.ExecCommand("rm", "-rf", "/root/.task"); err != nil {`
`11`	`11`	`return fmt.Errorf("error deleting Taskwarrior data: %v", err)`
`12`	`12`	`}`
`13`		`- tempDir, err := os.MkdirTemp("", "taskwarrior-"+email)`
	`13`	`+ tempDir, err := os.MkdirTemp("", utils.SafeTempDirPrefix("taskwarrior-", email))`
`14`	`14`	`if err != nil {`
`15`	`15`	`return fmt.Errorf("failed to create temporary directory: %v", err)`
`16`	`16`	`}`
Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ func CompleteTasksInTaskwarrior(email, encryptionSecret, uuid string, taskUUIDs`
`13`	`13`	`return nil, fmt.Errorf("error deleting Taskwarrior data: %v", err)`
`14`	`14`	`}`
`15`	`15`
`16`		`- tempDir, err := os.MkdirTemp("", "taskwarrior-"+email)`
	`16`	`+ tempDir, err := os.MkdirTemp("", utils.SafeTempDirPrefix("taskwarrior-", email))`
`17`	`17`
`18`	`18`	`if err != nil {`
`19`	`19`	`return nil, fmt.Errorf("failed to create temporary directory: %v", err)`
Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@ func DeleteTaskInTaskwarrior(email, encryptionSecret, uuid, taskuuid string) err`
`10`	`10`	`if err := utils.ExecCommand("rm", "-rf", "/root/.task"); err != nil {`
`11`	`11`	`return fmt.Errorf("error deleting Taskwarrior data: %v", err)`
`12`	`12`	`}`
`13`		`- tempDir, err := os.MkdirTemp("", "taskwarrior-"+email)`
	`13`	`+ tempDir, err := os.MkdirTemp("", utils.SafeTempDirPrefix("taskwarrior-", email))`
`14`	`14`	`if err != nil {`
`15`	`15`	`return fmt.Errorf("failed to create temporary directory: %v", err)`
`16`	`16`	`}`
Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ func DeleteTasksInTaskwarrior(email, encryptionSecret, uuid string, taskUUIDs []`
`13`	`13`	`return nil, fmt.Errorf("error deleting Taskwarrior data: %v", err)`
`14`	`14`	`}`
`15`	`15`
`16`		`- tempDir, err := os.MkdirTemp("", "taskwarrior-"+email)`
	`16`	`+ tempDir, err := os.MkdirTemp("", utils.SafeTempDirPrefix("taskwarrior-", email))`
`17`	`17`
`18`	`18`	`if err != nil {`
`19`	`19`	`return nil, fmt.Errorf("failed to create temporary directory: %v", err)`
Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ func EditTaskInTaskwarrior(uuid, description, email, encryptionSecret, taskID st`
`13`	`13`	`if err := utils.ExecCommand("rm", "-rf", "/root/.task"); err != nil {`
`14`	`14`	`return fmt.Errorf("error deleting Taskwarrior data: %v", err)`
`15`	`15`	`}`
`16`		`- tempDir, err := os.MkdirTemp("", "taskwarrior-"+email)`
	`16`	`+ tempDir, err := os.MkdirTemp("", utils.SafeTempDirPrefix("taskwarrior-", email))`
`17`	`17`	`if err != nil {`
`18`	`18`	`return fmt.Errorf("failed to create temporary directory: %v", err)`
`19`	`19`	`}`
Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@ func FetchTasksFromTaskwarrior(email, encryptionSecret, origin, UUID string) ([]`
`14`	`14`	`return nil, fmt.Errorf("error deleting Taskwarrior data: %v", err)`
`15`	`15`	`}`
`16`	`16`
`17`		`- tempDir, err := os.MkdirTemp("", "taskwarrior-"+email)`
	`17`	`+ tempDir, err := os.MkdirTemp("", utils.SafeTempDirPrefix("taskwarrior-", email))`
`18`	`18`	`if err != nil {`
`19`	`19`	`return nil, fmt.Errorf("failed to create temporary directory: %v", err)`
`20`	`20`	`}`
Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ func ModifyTaskInTaskwarrior(uuid, description, project, priority, status, due,`
`11`	`11`	`if err := utils.ExecCommand("rm", "-rf", "/root/.task"); err != nil {`
`12`	`12`	`return fmt.Errorf("error deleting Taskwarrior data: %v", err)`
`13`	`13`	`}`
`14`		`- tempDir, err := os.MkdirTemp("", "taskwarrior-"+email)`
	`14`	`+ tempDir, err := os.MkdirTemp("", utils.SafeTempDirPrefix("taskwarrior-", email))`
`15`	`15`	`if err != nil {`
`16`	`16`	`return fmt.Errorf("failed to create temporary directory: %v", err)`
`17`	`17`	`}`