From ccc9af75a61adb60a4c94a7587ca107c0821b5e6 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Thu, 12 Feb 2026 17:17:49 +0000
Subject: [PATCH] generate_man.js: Catch path traversal issues

Not really a security issue (this would require an attacker to
either commit a file to git or otherwise compromise the
build process), but generally useful as a check to make sure
the include path is sane and not leaking data accidentally.
---
 util/generate_man.js | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/util/generate_man.js b/util/generate_man.js
index e25c835ed..68b938aaf 100755
--- a/util/generate_man.js
+++ b/util/generate_man.js
@@ -46,8 +46,15 @@ const doInclude = (content, includes, f) => {
 		if (!m1.length) return m
 		/* VitePress MD supports paths relative to base with leading
 		 * '@'. */
-		if (m1.startsWith('@'))
-			return doInclude(fs.readFileSync(process.cwd() + '/' + m1.slice(1), 'utf8'), includes, f)
+		if (m1.startsWith('@')) {
+			const cwd = process.cwd()
+			const targetPath = path.resolve(cwd, m1.slice(1))
+			const relative = path.relative(cwd, targetPath)
+			if (relative.startsWith('..') || path.isAbsolute(relative)) {
+				throw new Error("Path traversal detected in include: " + m1)
+			}
+			return doInclude(fs.readFileSync(targetPath, 'utf8'), includes, f)
+		}
 		const inc_f = path.basename(m1)
 		for (const fn of includes) {
 			if (path.basename(fn) == inc_f)