Validate a session ID to prevent path traversal. Rejects IDs containing `..`, `/`, `\`, or null bytes.
(session_id: &str)
| 646 | /// |
| 647 | /// Rejects IDs containing `..`, `/`, `\`, or null bytes. |
| 648 | fn validate_session_id(session_id: &str) -> AgentResult<()> { |
| 649 | if session_id.is_empty() { |
| 650 | return Err(AgentError::SessionIdInvalid { |
| 651 | session_id: "(empty)".to_string(), |
| 652 | }); |
| 653 | } |
| 654 | |
| 655 | if session_id.contains("..") |
| 656 | || session_id.contains('/') |
| 657 | || session_id.contains('\\') |
| 658 | || session_id.contains('\0') |
| 659 | { |
| 660 | return Err(AgentError::SessionIdInvalid { |
| 661 | session_id: session_id.to_string(), |
| 662 | }); |
| 663 | } |
| 664 | |
| 665 | // Reject very long session IDs (filesystem path limits) |
| 666 | if session_id.len() > 255 { |
| 667 | return Err(AgentError::SessionIdInvalid { |
| 668 | session_id: format!( |
| 669 | "{}... (too long: {} chars)", |
| 670 | &session_id[..20], |
| 671 | session_id.len() |
| 672 | ), |
| 673 | }); |
| 674 | } |
| 675 | |
| 676 | Ok(()) |
| 677 | } |
| 678 | |
| 679 | // Tests |
| 680 |