Patch builtin path traversal via crafted diff headers

## Summary

The `strip_path()` function in the patch builtin strips leading path components per `-p` flag but does not sanitize the resulting path for `..` traversal. A malicious diff with headers like `--- a/../../../etc/passwd` with `-p1` produces `../../../etc/passwd`, enabling writes to unintended VFS paths.

**Severity:** Medium  
**Category:** Path Traversal (TM-INJ)

## Affected Files

- `crates/bashkit/src/builtins/patch.rs` lines 81-91, 275-300

## Steps to Reproduce

```bash
cat <<'EOF' | patch -p1
--- a/../../../etc/important
+++ b/../../../etc/important
@@ -1 +1 @@
-safe
+compromised
EOF
# Writes to ../../../etc/important within the VFS
```

## Impact

Writing to unintended paths within the VFS via crafted diff headers. Could overwrite critical virtual files.

## Acceptance Criteria

- [ ] After stripping path components, normalize the result and reject paths containing `..`
- [ ] Or: verify the resolved path stays under the current working directory
- [ ] Test: Diff header with `..` traversal is rejected with error
- [ ] Test: Normal patch with clean paths still works correctly

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Patch builtin path traversal via crafted diff headers #989

Summary

Affected Files

Steps to Reproduce

Impact

Acceptance Criteria

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Patch builtin path traversal via crafted diff headers #989

Description

Summary

Affected Files

Steps to Reproduce

Impact

Acceptance Criteria

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions