workspace share path hardening (#95)

* resolve relative paths for root path
* block share paths that go outside of root path
* fix test using invalid share_path
* validate that root path is absolute

1 files changed, 2 insertions, 2 deletions

diff --git a/src/zen/cmds/workspaces_cmd.cpp b/src/zen/cmds/workspaces_cmd.cpp
index afdf5d7f5..d83439b0a 100644
--- a/src/zen/cmds/workspaces_cmd.cpp
+++ b/src/zen/cmds/workspaces_cmd.cpp
@@ -91,7 +91,7 @@ WorkspaceCommand::Run(const ZenCliOptions& GlobalOptions, int argc, char** argv)
 			ZEN_CONSOLE("Using generated workspace id from path '{}'", m_Path);
 		}
 
-		HttpClient::KeyValueMap Params{{"root_path", m_Path}};
+		HttpClient::KeyValueMap Params{{"root_path", std::filesystem::absolute(m_Path).string()}};
 		if (HttpClient::Response Result = Http.Put(fmt::format("/ws/{}", m_Id), Params))
 		{
 			ZEN_CONSOLE("{}. Id: {}", Result, Result.AsText());
@@ -276,7 +276,7 @@ WorkspaceShareCommand::Run(const ZenCliOptions& GlobalOptions, int argc, char**
 	{
 		if (!m_WorkspaceRoot.empty())
 		{
-			HttpClient::KeyValueMap Params{{"root_path", m_WorkspaceRoot}};
+			HttpClient::KeyValueMap Params{{"root_path", std::filesystem::absolute(m_WorkspaceRoot).string()}};
 			if (HttpClient::Response Result =
 					Http.Put(fmt::format("/ws/{}", m_WorkspaceId.empty() ? Oid::Zero.ToString() : m_WorkspaceId), Params))
 			{