From 85426689fcae3ae446366c8da85ac8f8591780c8 Mon Sep 17 00:00:00 2001
From: Test User <test@example.com>
Date: Sun, 26 Apr 2026 19:58:56 +0800
Subject: [PATCH] Validate hostname before using it in domain-skills path

The hostname extracted from the URL was used directly in a path
construction without sanitization. A crafted hostname could potentially
traverse outside the intended domain-skills directory.

Now the hostname is validated to be alphanumeric before use.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 helpers.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/helpers.py b/helpers.py
index 7cd6ddef..9a948bdb 100644
--- a/helpers.py
+++ b/helpers.py
@@ -49,8 +49,12 @@ def drain_events():  return _send({"meta": "drain_events"})["events"]
 # --- navigation / page ---
 def goto_url(url):
     r = cdp("Page.navigate", url=url)
-    d = (Path(__file__).parent / "domain-skills" / (urlparse(url).hostname or "").removeprefix("www.").split(".")[0])
-    return {**r, "domain_skills": sorted(p.name for p in d.rglob("*.md"))[:10]} if d.is_dir() else r
+    hostname = (urlparse(url).hostname or "").removeprefix("www.").split(".")[0]
+    if hostname and hostname.isalnum():
+        d = Path(__file__).parent / "domain-skills" / hostname
+        if d.is_dir():
+            return {**r, "domain_skills": sorted(p.name for p in d.rglob("*.md"))[:10]}
+    return r
 
 def page_info():
     """{url, title, w, h, sx, sy, pw, ph} — viewport + scroll + page size.