systeminit · stack72 · Feb 19, 2026 · Feb 19, 2026
diff --git a/src/infrastructure/persistence/yaml_vault_config_repository.ts b/src/infrastructure/persistence/yaml_vault_config_repository.ts
@@ -18,7 +18,7 @@
 // along with Swamp.  If not, see <https://www.gnu.org/licenses/>.
 
 import { ensureDir } from "@std/fs";
-import { join } from "@std/path";
+import { join, resolve } from "@std/path";
 import { parse as parseYaml, stringify as stringifyYaml } from "@std/yaml";
 import { atomicWriteTextFile } from "./atomic_write.ts";
 import { SWAMP_SUBDIRS, swampPath } from "./paths.ts";
@@ -234,7 +234,27 @@ export class YamlVaultConfigRepository {
    * Gets the directory for a specific vault type.
    */
   private getTypeDir(vaultType: string): string {
-    return join(this.getVaultDir(), vaultType);
+    const vaultDir = this.getVaultDir();
+    const result = join(vaultDir, vaultType);
+    this.assertPathContained(result, vaultDir, `vaultType "${vaultType}"`);
+    return result;
+  }
+
+  private assertPathContained(
+    path: string,
+    expectedParent: string,
+    context: string,
+  ): void {
+    const resolvedPath = resolve(path);
+    const resolvedParent = resolve(expectedParent);
+    if (
+      resolvedPath !== resolvedParent &&
+      !resolvedPath.startsWith(resolvedParent + "/")
+    ) {
+      throw new Error(
+        `Path traversal detected: ${context} resolves outside expected directory`,
+      );
+    }
   }
 
   /**

diff --git a/src/infrastructure/persistence/yaml_vault_config_repository_test.ts b/src/infrastructure/persistence/yaml_vault_config_repository_test.ts
@@ -0,0 +1,67 @@
+// Swamp, an Automation Framework
+// Copyright (C) 2026 System Initiative, Inc.
+//
+// This file is part of Swamp.
+//
+// Swamp is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License version 3
+// as published by the Free Software Foundation, with the Swamp
+// Extension and Definition Exception (found in the "COPYING-EXCEPTION"
+// file).
+//
+// Swamp is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with Swamp.  If not, see <https://www.gnu.org/licenses/>.
+
+import { assertRejects } from "@std/assert";
+import { YamlVaultConfigRepository } from "./yaml_vault_config_repository.ts";
+
+Deno.test("YamlVaultConfigRepository - normal vault types resolve correctly", async () => {
+  const dir = await Deno.makeTempDir();
+  try {
+    const repo = new YamlVaultConfigRepository(dir);
+    // These should not throw - normal vault types
+    const resultAws = await repo.findAllByType("aws");
+    const resultLocal = await repo.findAllByType("local_encryption");
+    // Both return empty arrays since the vault dir doesn't exist yet
+    if (
+      !Array.isArray(resultAws) || !Array.isArray(resultLocal)
+    ) {
+      throw new Error("Expected arrays");
+    }
+  } finally {
+    await Deno.remove(dir, { recursive: true });
+  }
+});
+
+Deno.test("YamlVaultConfigRepository - path traversal via ../../.ssh throws", async () => {
+  const dir = await Deno.makeTempDir();
+  try {
+    const repo = new YamlVaultConfigRepository(dir);
+    await assertRejects(
+      () => repo.findAllByType("../../.ssh"),
+      Error,
+      "Path traversal detected",
+    );
+  } finally {
+    await Deno.remove(dir, { recursive: true });
+  }
+});
+
+Deno.test("YamlVaultConfigRepository - path traversal via ../foo throws", async () => {
+  const dir = await Deno.makeTempDir();
+  try {
+    const repo = new YamlVaultConfigRepository(dir);
+    await assertRejects(
+      () => repo.findAllByType("../foo"),
+      Error,
+      "Path traversal detected",
+    );
+  } finally {
+    await Deno.remove(dir, { recursive: true });
+  }
+});