timezone: disallow directory traversal

[rsmarples]

Don't allow a timezone definition to go outside of it's directory

Reported by Hu Xinyao and NVIDIA Project Vanessa

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 11e60310-dfdf-4d7e-a767-a34d1e611463

📥 Commits

Reviewing files that changed from the base of the PR and between 56fdb16 and 0b0adb4.

📒 Files selected for processing (1)

• hooks/15-timezone

---

Walkthrough

In hooks/15-timezone, set_zoneinfo() gains two hardening changes: a directory-traversal guard that rejects new_tzdb_timezone values containing ../ (logging a warning and returning failure), and a stricter file existence check that replaces -e with -f so only a regular file satisfies the zone definition test.

Changes

Timezone hook input validation

Layer / File(s)	Summary
Traversal guard and regular-file check in set_zoneinfo hooks/15-timezone	Adds a ../ pattern rejection for new_tzdb_timezone before processing, and changes the zone_file existence test from -e (any path type) to -f (regular file only), logging and returning failure in both invalid cases.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'timezone: disallow directory traversal' directly reflects the main security change—preventing directory traversal attacks in timezone handling.
Description check	✅ Passed	The description 'Don't allow a timezone definition to go outside of it's directory' clearly relates to the changeset, accurately describing the security fix to prevent directory traversal.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch tz

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}