fix: validate script names to prevent path traversal attacks

Change-Id: Ie765802a9d713726bdc7401c88e550b8093aac5f
Signed-off-by: Test <test@example.com>

Author: Test

src/node/services/ipcMain.ts

@@ -1244,8 +1244,25 @@ export class IpcMain {
           }
 
           try {
+            // Validate scriptName doesn't contain path separators (prevent path traversal)
+            if (scriptName.includes("/") || scriptName.includes("\\") || scriptName.includes("..")) {
+              return Err(
+                `Invalid script name: ${scriptName}. Script names must not contain path separators.`
+              );
+            }
+
             const scriptPath = getScriptPath(workspacePath, scriptName);
 
+            // Double-check the resolved path stays within scripts directory
+            const scriptsDir = path.join(workspacePath, ".cmux", "scripts");
+            const normalizedScriptPath = path.normalize(scriptPath);
+            const normalizedScriptsDir = path.normalize(scriptsDir);
+            if (!normalizedScriptPath.startsWith(normalizedScriptsDir + path.sep)) {
+              return Err(
+                `Invalid script name: ${scriptName}. Script path escapes scripts directory.`
+              );
+            }
+
             let scriptExists = false;
             try {
               const stat = await runtimeInstance.stat(scriptPath);