Harden catalog sync and installer path handling

Author: KSemenenko

cli/ManagedCode.DotnetSkills/Runtime/AgentCatalogPackage.cs

@@ -35,11 +35,19 @@ public static AgentCatalogPackage LoadFromDirectory(DirectoryInfo rootDirectory,
         return new AgentCatalogPackage(rootDirectory, agents, sourceLabel);
     }
 
+    public static AgentCatalogPackage LoadFromManifest(DirectoryInfo catalogRoot, AgentManifest manifest, string sourceLabel)
+    {
+        return new AgentCatalogPackage(catalogRoot, manifest.Agents, sourceLabel);
+    }
+
     public DirectoryInfo ResolveAgentSource(string agentName)
     {
         var agent = Agents.FirstOrDefault(candidate => string.Equals(candidate.Name, agentName, StringComparison.OrdinalIgnoreCase))
             ?? throw new InvalidOperationException($"Agent metadata is missing for {agentName} in {SourceLabel}");
-        var directory = new DirectoryInfo(Path.Combine(CatalogRoot.FullName, agent.Path.Replace('/', Path.DirectorySeparatorChar)));
+        var directory = PathSafety.ResolveDirectoryWithinRoot(
+            CatalogRoot,
+            agent.Path,
+            $"Agent payload path for {agentName} in {SourceLabel}");
         if (!directory.Exists)
         {
             throw new InvalidOperationException($"Agent payload is missing for {agentName} in {SourceLabel}");

cli/ManagedCode.DotnetSkills/Runtime/AgentInstaller.cs

@@ -36,7 +36,7 @@ public AgentInstallSummary Install(IReadOnlyList<AgentEntry> agents, AgentInstal
         {
             var sourceDirectory = catalog.ResolveAgentSource(agent.Name);
             var fileName = $"{agent.Name}{layout.FileExtension}";
-            var destinationFile = new FileInfo(Path.Combine(layout.PrimaryRoot.FullName, fileName));
+            var destinationFile = ResolveInstalledAgentFile(layout, agent, fileName);
 
             if (destinationFile.Exists && !force)
             {
@@ -92,7 +92,7 @@ public AgentRemoveSummary Remove(IReadOnlyList<AgentEntry> agents, AgentInstallL
         foreach (var agent in agents)
         {
             var fileName = $"{agent.Name}{layout.FileExtension}";
-            var destinationFile = new FileInfo(Path.Combine(layout.PrimaryRoot.FullName, fileName));
+            var destinationFile = ResolveInstalledAgentFile(layout, agent, fileName);
 
             if (!destinationFile.Exists)
             {
@@ -110,7 +110,7 @@ public AgentRemoveSummary Remove(IReadOnlyList<AgentEntry> agents, AgentInstallL
     public bool IsInstalled(AgentEntry agent, AgentInstallLayout layout)
     {
         var fileName = $"{agent.Name}{layout.FileExtension}";
-        return File.Exists(Path.Combine(layout.PrimaryRoot.FullName, fileName));
+        return ResolveInstalledAgentFile(layout, agent, fileName).Exists;
     }
 
     public IReadOnlyList<InstalledAgentRecord> GetInstalledAgents(AgentInstallLayout layout)
@@ -140,6 +140,14 @@ private static bool TryResolveAgent(
         return false;
     }
 
+    private static FileInfo ResolveInstalledAgentFile(AgentInstallLayout layout, AgentEntry agent, string fileName)
+    {
+        return PathSafety.ResolveFileWithinRoot(
+            layout.PrimaryRoot,
+            fileName,
+            $"Installed agent path for {agent.Name}");
+    }
+
     private static void WriteMarkdownAgent(FileInfo destinationFile, DirectoryInfo sourceDirectory)
     {
         var agentFile = new FileInfo(Path.Combine(sourceDirectory.FullName, "AGENT.md"));

cli/ManagedCode.DotnetSkills/Runtime/GitHubCatalogReleaseClient.cs

@@ -13,6 +13,7 @@ internal sealed class GitHubCatalogReleaseClient
     private const string CatalogTagPrefix = "catalog-v";
     private const string CatalogManifestAssetName = "dotnet-skills-manifest.json";
     private const string CatalogPayloadAssetName = "dotnet-skills-catalog.zip";
+    private const int ReleasesPerPage = 50;
 
     private static readonly JsonSerializerOptions JsonOptions = new()
     {
@@ -70,6 +71,7 @@ public async Task<SkillCatalogPackage> SyncAsync(string? catalogVersion, bool fo
         cacheRoot.Create();
 
         var tempDirectory = new DirectoryInfo(Path.Combine(cacheRoot.FullName, $".tmp-{Guid.NewGuid():N}"));
+        DirectoryInfo? stagedReleaseDirectory = new DirectoryInfo(Path.Combine(cacheRoot.FullName, $".stage-{Guid.NewGuid():N}"));
         tempDirectory.Create();
 
         try
@@ -85,15 +87,13 @@ public async Task<SkillCatalogPackage> SyncAsync(string? catalogVersion, bool fo
 
             ZipFile.ExtractToDirectory(archivePath, tempDirectory.FullName, overwriteFiles: true);
 
-            if (releaseDirectory.Exists)
-            {
-                releaseDirectory.Delete(recursive: true);
-            }
-
             var extractedCatalogDirectory = ResolveExtractedCatalogDirectory(tempDirectory);
 
-            releaseDirectory.Create();
-            SkillInstaller.CopyDirectory(extractedCatalogDirectory, new DirectoryInfo(Path.Combine(releaseDirectory.FullName, "catalog")));
+            stagedReleaseDirectory.Create();
+            SkillInstaller.CopyDirectory(extractedCatalogDirectory, new DirectoryInfo(Path.Combine(stagedReleaseDirectory.FullName, "catalog")));
+            SkillCatalogPackage.LoadFromDirectory(stagedReleaseDirectory, $"GitHub release {release.TagName}", release.Version);
+            ReplaceReleaseDirectory(stagedReleaseDirectory, releaseDirectory);
+            stagedReleaseDirectory = null;
 
             return SkillCatalogPackage.LoadFromDirectory(releaseDirectory, $"GitHub release {release.TagName}", release.Version);
         }
@@ -103,6 +103,11 @@ public async Task<SkillCatalogPackage> SyncAsync(string? catalogVersion, bool fo
             {
                 tempDirectory.Delete(recursive: true);
             }
+
+            if (stagedReleaseDirectory?.Exists == true)
+            {
+                stagedReleaseDirectory.Delete(recursive: true);
+            }
         }
     }
 
@@ -177,11 +182,26 @@ internal static DirectoryInfo ResolveExtractedCatalogDirectory(DirectoryInfo ext
 
     private async Task<IReadOnlyList<GitHubRelease>> GetReleasesAsync(CancellationToken cancellationToken)
     {
-        using var response = await httpClient.GetAsync($"https://api.github.com/repos/{Owner}/{Repository}/releases?per_page=50", cancellationToken);
-        response.EnsureSuccessStatusCode();
+        var releases = new List<GitHubRelease>();
 
-        await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken);
-        return await JsonSerializer.DeserializeAsync<List<GitHubRelease>>(stream, JsonOptions, cancellationToken) ?? [];
+        for (var page = 1; ; page++)
+        {
+            using var response = await httpClient.GetAsync(
+                $"https://api.github.com/repos/{Owner}/{Repository}/releases?per_page={ReleasesPerPage}&page={page}",
+                cancellationToken);
+            response.EnsureSuccessStatusCode();
+
+            await using var stream = await response.Content.ReadAsStreamAsync(cancellationToken);
+            var releasePage = await JsonSerializer.DeserializeAsync<List<GitHubRelease>>(stream, JsonOptions, cancellationToken) ?? [];
+            releases.AddRange(releasePage);
+
+            if (releasePage.Count < ReleasesPerPage)
+            {
+                break;
+            }
+        }
+
+        return releases;
     }
 
     private async Task<GitHubRelease> GetReleaseByTagAsync(string tag, CancellationToken cancellationToken)
@@ -196,7 +216,7 @@ private async Task<GitHubRelease> GetReleaseByTagAsync(string tag, CancellationT
 
     private async Task<Stream> DownloadAssetAsync(string downloadUrl, CancellationToken cancellationToken)
     {
-        var request = new HttpRequestMessage(HttpMethod.Get, downloadUrl);
+        using var request = new HttpRequestMessage(HttpMethod.Get, downloadUrl);
         using var response = await httpClient.SendAsync(request, HttpCompletionOption.ResponseHeadersRead, cancellationToken);
         response.EnsureSuccessStatusCode();
 
@@ -215,6 +235,36 @@ private static HttpClient CreateHttpClient()
         return httpClient;
     }
 
+    private static void ReplaceReleaseDirectory(DirectoryInfo stagedReleaseDirectory, DirectoryInfo releaseDirectory)
+    {
+        DirectoryInfo? backupDirectory = null;
+
+        try
+        {
+            if (releaseDirectory.Exists)
+            {
+                backupDirectory = new DirectoryInfo(Path.Combine(releaseDirectory.Parent!.FullName, $".backup-{Guid.NewGuid():N}"));
+                releaseDirectory.MoveTo(backupDirectory.FullName);
+            }
+
+            stagedReleaseDirectory.MoveTo(releaseDirectory.FullName);
+
+            if (backupDirectory?.Exists == true)
+            {
+                backupDirectory.Delete(recursive: true);
+            }
+        }
+        catch
+        {
+            if (!releaseDirectory.Exists && backupDirectory?.Exists == true)
+            {
+                backupDirectory.MoveTo(releaseDirectory.FullName);
+            }
+
+            throw;
+        }
+    }
+
     private static NuGetVersion? TryParseCatalogVersion(string tagName)
     {
         if (!tagName.StartsWith(CatalogTagPrefix, StringComparison.Ordinal))

cli/ManagedCode.DotnetSkills/Runtime/PathSafety.cs

@@ -0,0 +1,46 @@
+namespace ManagedCode.DotnetSkills.Runtime;
+
+internal static class PathSafety
+{
+    public static DirectoryInfo ResolveDirectoryWithinRoot(DirectoryInfo root, string relativePath, string description)
+    {
+        return new DirectoryInfo(ResolvePathWithinRoot(root, relativePath, description));
+    }
+
+    public static FileInfo ResolveFileWithinRoot(DirectoryInfo root, string relativePath, string description)
+    {
+        return new FileInfo(ResolvePathWithinRoot(root, relativePath, description));
+    }
+
+    internal static string ResolvePathWithinRoot(DirectoryInfo root, string relativePath, string description)
+    {
+        if (string.IsNullOrWhiteSpace(relativePath))
+        {
+            throw new InvalidOperationException($"{description} must not use an empty path.");
+        }
+
+        var normalizedRelativePath = relativePath
+            .Replace('\\', Path.DirectorySeparatorChar)
+            .Replace('/', Path.DirectorySeparatorChar);
+        var rootPath = EnsureTrailingSeparator(Path.GetFullPath(root.FullName));
+        var candidatePath = Path.GetFullPath(Path.Combine(root.FullName, normalizedRelativePath));
+
+        if (!candidatePath.StartsWith(rootPath, PathComparison)
+            || string.Equals(candidatePath, rootPath.TrimEnd(Path.DirectorySeparatorChar), PathComparison))
+        {
+            throw new InvalidOperationException($"{description} must stay within {root.FullName}.");
+        }
+
+        return candidatePath;
+    }
+
+    private static StringComparison PathComparison =>
+        OperatingSystem.IsWindows() ? StringComparison.OrdinalIgnoreCase : StringComparison.Ordinal;
+
+    private static string EnsureTrailingSeparator(string path)
+    {
+        return path.EndsWith(Path.DirectorySeparatorChar)
+            ? path
+            : path + Path.DirectorySeparatorChar;
+    }
+}

cli/ManagedCode.DotnetSkills/Runtime/ProjectSkillRecommender.cs

@@ -306,7 +306,16 @@ public static ProjectInventory Load(IEnumerable<FileInfo> projectFiles)
 
         foreach (var projectFile in projectFiles)
         {
-            var document = XDocument.Load(projectFile.FullName, LoadOptions.None);
+            XDocument document;
+            try
+            {
+                document = XDocument.Load(projectFile.FullName, LoadOptions.None);
+            }
+            catch (Exception exception) when (exception is IOException or UnauthorizedAccessException or System.Xml.XmlException)
+            {
+                continue;
+            }
+
             var projectElement = document.Root;
             if (projectElement is null)
             {

cli/ManagedCode.DotnetSkills/Runtime/SkillCatalogPackage.cs

@@ -55,7 +55,10 @@ public DirectoryInfo ResolveSkillSource(string skillName)
     {
         var skill = Skills.FirstOrDefault(candidate => string.Equals(candidate.Name, skillName, StringComparison.OrdinalIgnoreCase))
             ?? throw new InvalidOperationException($"Skill metadata is missing for {skillName} in {SourceLabel}");
-        var directory = new DirectoryInfo(Path.Combine(CatalogRoot.FullName, skill.Path.Replace('/', Path.DirectorySeparatorChar)));
+        var directory = PathSafety.ResolveDirectoryWithinRoot(
+            CatalogRoot,
+            skill.Path,
+            $"Skill payload path for {skillName} in {SourceLabel}");
         if (!directory.Exists)
         {
             throw new InvalidOperationException($"Skill payload is missing for {skillName} in {SourceLabel}");

cli/ManagedCode.DotnetSkills/Runtime/SkillInstaller.cs

@@ -76,7 +76,7 @@ public SkillInstallSummary Install(IReadOnlyList<SkillEntry> skills, SkillInstal
         foreach (var skill in skills)
         {
             var sourceDirectory = catalog.ResolveSkillSource(skill.Name);
-            var destinationDirectory = new DirectoryInfo(Path.Combine(layout.PrimaryRoot.FullName, skill.Name));
+            var destinationDirectory = ResolveInstalledSkillDirectory(layout, skill);
 
             if (destinationDirectory.Exists)
             {
@@ -103,7 +103,7 @@ public SkillRemoveSummary Remove(IReadOnlyList<SkillEntry> skills, SkillInstallL
 
         foreach (var skill in skills)
         {
-            var destinationDirectory = new DirectoryInfo(Path.Combine(layout.PrimaryRoot.FullName, skill.Name));
+            var destinationDirectory = ResolveInstalledSkillDirectory(layout, skill);
             if (!destinationDirectory.Exists)
             {
                 missingSkills.Add(skill.Name);
@@ -119,7 +119,7 @@ public SkillRemoveSummary Remove(IReadOnlyList<SkillEntry> skills, SkillInstallL
 
     public bool IsInstalled(SkillEntry skill, SkillInstallLayout layout)
     {
-        return Directory.Exists(Path.Combine(layout.PrimaryRoot.FullName, skill.Name));
+        return ResolveInstalledSkillDirectory(layout, skill).Exists;
     }
 
     public IReadOnlyList<InstalledSkillRecord> GetInstalledSkills(SkillInstallLayout layout)
@@ -179,10 +179,19 @@ private static string NormalizePackageKey(string value)
         return new string(value.Where(char.IsLetterOrDigit).ToArray()).ToLowerInvariant();
     }
 
+    private static DirectoryInfo ResolveInstalledSkillDirectory(SkillInstallLayout layout, SkillEntry skill)
+    {
+        return PathSafety.ResolveDirectoryWithinRoot(
+            layout.PrimaryRoot,
+            skill.Name,
+            $"Installed skill path for {skill.Name}");
+    }
+
     private static string ReadInstalledVersion(SkillEntry skill, SkillInstallLayout layout)
     {
-        return ReadManifestValue(Path.Combine(layout.PrimaryRoot.FullName, skill.Name, "manifest.json"), "version")
-            ?? ReadFrontMatterValue(Path.Combine(layout.PrimaryRoot.FullName, skill.Name, "SKILL.md"), "version")
+        var skillDirectory = ResolveInstalledSkillDirectory(layout, skill);
+        return ReadManifestValue(Path.Combine(skillDirectory.FullName, "manifest.json"), "version")
+            ?? ReadFrontMatterValue(Path.Combine(skillDirectory.FullName, "SKILL.md"), "version")
             ?? "unknown";
     }
 

tests/ManagedCode.DotnetSkills.Tests/AgentInstallerTests.cs

@@ -69,4 +69,45 @@ public void Install_MarkdownAgentFiles_CopiesAgentMarkdown()
         Assert.Contains("name: dotnet-router", contents, StringComparison.Ordinal);
         Assert.Contains("# .NET Router", contents, StringComparison.Ordinal);
     }
+
+    [Fact]
+    public void Install_RejectsAgentNameThatEscapesLayoutRoot()
+    {
+        using var tempDirectory = new TemporaryDirectory();
+        var sourceDirectory = Directory.CreateDirectory(Path.Combine(tempDirectory.Path, "catalog", "Frameworks", "Aspire", "agents", "dotnet-safe-agent"));
+        File.WriteAllText(
+            Path.Combine(sourceDirectory.FullName, "AGENT.md"),
+            """
+            ---
+            name: dotnet-safe-agent
+            description: "safe"
+            ---
+
+            # Safe agent
+            """);
+
+        var manifest = new AgentManifest
+        {
+            Agents =
+            [
+                new AgentEntry
+                {
+                    Name = "../escape",
+                    Title = "Escape",
+                    Description = "Escape test",
+                    Path = "catalog/Frameworks/Aspire/agents/dotnet-safe-agent"
+                },
+            ],
+        };
+
+        var catalog = AgentCatalogPackage.LoadFromManifest(new DirectoryInfo(tempDirectory.Path), manifest, "test payload");
+        var installer = new AgentInstaller(catalog);
+        using var installDirectory = new TemporaryDirectory();
+        var layout = new AgentInstallLayout(AgentPlatform.Claude, InstallScope.Project, AgentInstallMode.MarkdownAgentFiles, new DirectoryInfo(installDirectory.Path), false);
+
+        var exception = Assert.Throws<InvalidOperationException>(() => installer.Install(catalog.Agents, layout, force: false));
+
+        Assert.Contains("must stay within", exception.Message, StringComparison.Ordinal);
+        Assert.False(File.Exists(Path.Combine(tempDirectory.Path, "escape.md")));
+    }
 }