feat(cli): remove .github dirs when initializing with a remote templa…

…te (#8036)
sanity-io · Dec 13, 2024 · 2222e9e · 2222e9e
1 parent 85de530
commit 2222e9e
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/packages/@sanity/cli/src/util/remoteTemplate.ts b/packages/@sanity/cli/src/util/remoteTemplate.ts
@@ -14,6 +14,11 @@ import {x} from 'tar'
 
 import {type CliApiClient, type PackageJson} from '../types'
 
+const DISALLOWED_PATHS = [
+  // Prevent security risks from unknown GitHub Actions
+  '/.github/',
+]
+
 const ENV_VAR = {
   ...REQUIRED_ENV_VAR,
   READ_TOKEN: 'SANITY_API_READ_TOKEN',
@@ -181,6 +186,9 @@ export async function downloadAndExtractRepo(
           const pathSegments = posixPath.split(posix.sep)
           rootPath = pathSegments.length ? pathSegments[0] : null
         }
+        for (const disallowedPath of DISALLOWED_PATHS) {
+          if (posixPath.includes(disallowedPath)) return false
+        }
         return posixPath.startsWith(`${rootPath}${filePath ? `/${filePath}/` : '/'}`)
       },
     }),