shakacode
diff --git a/‎package/configExporter/cli.ts‎
Lines changed: 49 additions & 7 deletions b/‎package/configExporter/cli.ts‎
Lines changed: 49 additions & 7 deletions
@@ -13,10 +13,15 @@ import { ConfigFileLoader, generateSampleConfigFile } from "./configFile"
 import { BuildValidator } from "./buildValidator"
 
 // Read version from package.json
-const packageJson = JSON.parse(
-  readFileSync(resolve(__dirname, "../../package.json"), "utf8")
-)
-const VERSION = packageJson.version
+let VERSION = "unknown"
+try {
+  const packageJson = JSON.parse(
+    readFileSync(resolve(__dirname, "../../package.json"), "utf8")
+  )
+  VERSION = packageJson.version || "unknown"
+} catch (error) {
+  console.warn("Could not read version from package.json")
+}
 
 /**
  * Environment variable names that can be set by build configurations
@@ -31,6 +36,22 @@ const BUILD_ENV_VARS = [
   "SERVER_BUNDLE_ONLY"
 ] as const
 
+/**
+ * Validates that a path is within the current working directory
+ * to prevent path traversal attacks
+ * @param path - The path to validate
+ * @param baseDir - The base directory (defaults to cwd)
+ * @throws Error if path is outside baseDir
+ */
+function validatePath(path: string, baseDir: string = process.cwd()): void {
+  const resolvedPath = resolve(path)
+  const resolvedBase = resolve(baseDir)
+
+  if (!resolvedPath.startsWith(resolvedBase)) {
+    throw new Error(`Path must be within ${resolvedBase}. Got: ${resolvedPath}`)
+  }
+}
+
 /**
  * Saves current values of build environment variables for later restoration
  * @returns Object mapping variable names to their current values (or undefined)
@@ -103,6 +124,14 @@ export async function run(args: string[]): Promise<number> {
     // Apply defaults
     const resolvedOptions = applyDefaults(options)
 
+    // Validate paths for security AFTER defaults are applied
+    if (resolvedOptions.output) {
+      validatePath(resolvedOptions.output)
+    }
+    if (resolvedOptions.saveDir) {
+      validatePath(resolvedOptions.saveDir)
+    }
+
     // Validate after defaults are applied
     if (resolvedOptions.annotate && resolvedOptions.format !== "yaml") {
       throw new Error(
@@ -144,7 +173,7 @@ export async function run(args: string[]): Promise<number> {
   }
 }
 
-function parseArguments(args: string[]): ExportOptions {
+export function parseArguments(args: string[]): ExportOptions {
   const argv = yargs(args)
     .version(VERSION)
     .usage(
@@ -235,11 +264,24 @@ QUICK START (for troubleshooting):
         "Enable inline documentation (YAML only, default with --doctor or file output)"
     })
     .option("depth", {
-      type: "number",
       default: 20,
       coerce: (value: number | string) => {
+        // Handle "null" string for unlimited depth
         if (value === "null" || value === null) return null
-        return typeof value === "number" ? value : parseInt(String(value), 10)
+
+        // Reject non-numeric types (arrays, objects, etc.)
+        if (typeof value !== "number" && typeof value !== "string") {
+          throw new Error(
+            `--depth must be a number or 'null', got: ${typeof value}`
+          )
+        }
+
+        const parsed =
+          typeof value === "number" ? value : parseInt(String(value), 10)
+        if (isNaN(parsed)) {
+          throw new Error(`--depth must be a number or 'null', got: ${value}`)
+        }
+        return parsed
       },
       description: "Inspection depth (use 'null' for unlimited)"
     })