From 1debdbb01d66090959fdf1a2680565f1eee12066 Mon Sep 17 00:00:00 2001
From: Karim Roukoz <roukoz@gmail.com>
Date: Mon, 22 Dec 2025 21:15:07 -0500
Subject: [PATCH] Update benchmarks/auto_tune/auto_tune.sh

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Signed-off-by: Karim Roukoz <roukoz@gmail.com>
---
 benchmarks/auto_tune/auto_tune.sh | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/benchmarks/auto_tune/auto_tune.sh b/benchmarks/auto_tune/auto_tune.sh
index ba658a9080f53..f6435afeaa6be 100644
--- a/benchmarks/auto_tune/auto_tune.sh
+++ b/benchmarks/auto_tune/auto_tune.sh
@@ -4,6 +4,12 @@
 # See details in README (benchmarks/auto_tune/README.md).
 
 TAG=${TAG:-$(date +"%Y_%m_%d_%H_%M")}
+
+# Sanitize TAG to prevent path traversal
+if [[ "$TAG" == *..* || "$TAG" == /* ]]; then
+    echo "Error: TAG cannot contain '..' or be an absolute path." >&2
+    exit 1
+fi
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 VLLM_LOGGING_LEVEL=${VLLM_LOGGING_LEVEL:-INFO}
 BASE=${BASE:-"$SCRIPT_DIR/../../.."}