CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/input-sanitization

Sanitize and validate user input at system boundaries — prevent XSS, SQL

94

1.20x
Quality

89%

Does it follow best practices?

Impact

100%

1.20x

Average score across 6 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

criteria.jsonevals/scenario-5/

{
  "context": "Tests whether the agent prevents path traversal attacks when serving user-specified files and prevents command injection when user input is passed to a shell command. Covers path.resolve + startsWith containment checks, and the requirement to use execFile/spawn with argument arrays instead of exec() or shell: true.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Base directory resolved",
      "description": "The uploads/base directory is resolved to an absolute path using path.resolve() or os.path.realpath() before being used in path construction",
      "max_score": 10
    },
    {
      "name": "Joined path resolved",
      "description": "The combined path (base + user filename) is also passed through path.resolve() or os.path.realpath() to eliminate any ../ sequences",
      "max_score": 10
    },
    {
      "name": "startsWith containment check",
      "description": "The resolved combined path is checked with .startsWith(uploadsDir + path.sep) (or equivalent with os.sep) to verify it remains within the allowed directory",
      "max_score": 15
    },
    {
      "name": "400 on path traversal attempt",
      "description": "Returns HTTP 400 (or equivalent error) when the resolved path escapes the allowed directory, rather than serving the file or crashing",
      "max_score": 10
    },
    {
      "name": "No exec() with user input",
      "description": "Does NOT use child_process.exec() or os.system() or subprocess with shell=True where user-supplied data appears in the command string",
      "max_score": 15
    },
    {
      "name": "execFile or spawn used",
      "description": "Shell commands that process files use execFile(), spawn() (Node.js) or subprocess.run() with a list argument (Python) — passing the user-supplied filename as a separate array element",
      "max_score": 15
    },
    {
      "name": "User input as argument, not shell string",
      "description": "The user-supplied filename appears as a separate element in an argument array, NOT interpolated into a command string",
      "max_score": 15
    },
    {
      "name": "Numeric dimensions validated",
      "description": "Width and height query parameters are parsed as integers and validated (checked for NaN, non-positive values, and reasonable upper bounds) before being passed to the image processing command",
      "max_score": 10
    }
  ]
}

evals

scenario-5

criteria.json

task.md

tile.json