[HIGH] Path traversal in phlo.yaml loading

## Summary

`PHLO_PROJECT_PATH` environment variable used without path sanitization. Attackers could set paths like `/etc/` or `../../../etc/` to read arbitrary files.

## Location

`src/phlo/infrastructure/config.py` lines 26-39

## Vulnerable Code

```python
env_path = os.environ.get("PHLO_PROJECT_PATH")
project_root = Path(env_path or ".")
```

## Recommended Fix

Validate that the resolved path is within the project directory or user home directory. Reject paths containing `..` or absolute paths outside allowed directories.

---

**Severity:** P1 - High
**Category:** Security
**Audit Reference:** AUDIT.md


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[HIGH] Path traversal in phlo.yaml loading #339

Summary

Location

Vulnerable Code

Recommended Fix

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[HIGH] Path traversal in phlo.yaml loading #339

Description

Summary

Location

Vulnerable Code

Recommended Fix

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions