diff --git a/scripts/harness_checks/line_count_baseline.json b/scripts/harness_checks/line_count_baseline.json index 796334f45..817dc8b32 100644 --- a/scripts/harness_checks/line_count_baseline.json +++ b/scripts/harness_checks/line_count_baseline.json @@ -1,11 +1,12 @@ { - "hard_cap": 3000, - "warn_cap": 1500, - "root": "harness-discipline-docs", - "offenders": { - "src/spark_cli/cli.py": 18105, - "src/spark_cli/system_map.py": 5658, - "tests/test_cli.py": 14759, - "tests/test_system_map.py": 2055 - } -} + "hard_cap": 3000, + "warn_cap": 1500, + "root": "harness-discipline-docs", + "offenders": { + "src/spark_cli/cli.py": 18111, + "src/spark_cli/system_map.py": 5658, + "tests/test_cli.py": 14759, + "tests/test_system_map.py": 2055 + }, + "src/spark_cli/cli.py": 18111 +} \ No newline at end of file diff --git a/src/spark_cli/cli.py b/src/spark_cli/cli.py index 8a444135e..5259c3efb 100644 --- a/src/spark_cli/cli.py +++ b/src/spark_cli/cli.py @@ -9344,7 +9344,10 @@ def delete_revoke_all_secrets(secret_ids: Iterable[str], *, dry_run: bool = Fals def spawner_state_dir_for_revoke_all() -> Path: spawner_env = read_generated_env(MODULE_CONFIG_DIR / "spawner-ui.env") raw = spawner_env.get("SPAWNER_STATE_DIR") or str(STATE_DIR / "spawner-ui") - return Path(raw).expanduser() + resolved = Path(raw).expanduser().resolve() + if not str(resolved).startswith(str(SPARK_HOME.resolve())): + raise SystemExit("SPAWNER_STATE_DIR escapes SPARK_HOME; refusing unsafe path.") + return resolved def load_json_best_effort(path: Path, default: Any) -> Any: