feat(bidiff-cli): implement upload to s3

[TheButlah]

vibe coded with codex + o3

[semgrep-code-worldcoin]

Semgrep identified an issue, but thinks it may be safe to ignore.
The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.

Why this might be safe to ignore:

This code is part of a CLI tool where the OTA directory is explicitly provided by the user (i.e. not coming from an untrusted external source) and is only used to build a file path with a constant filename. As such, while the taint is flagged by the rule, it does not create an exploitable path traversal vulnerability in this context.

Dataflow graph

flowchart LR
    classDef invis fill:white, stroke: none
    classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none

    subgraph File0["<b>bidiff-cli/src/lib.rs</b>"]
        direction LR
        %% Source

        subgraph Source
            direction LR

            v0["<a href=https://github.com/worldcoin/orb-software/blob/32522bdff8c0dd0e6878bb255f60855146b134d1/bidiff-cli/src/lib.rs#L313 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 313] dir</a>"]
        end
        %% Intermediate

        subgraph Traces0[Traces]
            direction TB

            v2["<a href=https://github.com/worldcoin/orb-software/blob/32522bdff8c0dd0e6878bb255f60855146b134d1/bidiff-cli/src/lib.rs#L313 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 313] claim_path</a>"]
        end
        %% Sink

        subgraph Sink
            direction LR

            v1["<a href=https://github.com/worldcoin/orb-software/blob/32522bdff8c0dd0e6878bb255f60855146b134d1/bidiff-cli/src/lib.rs#L314 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 314] &claim_path</a>"]
        end
    end
    %% Class Assignment
    Source:::invis
    Sink:::invis

    Traces0:::invis
    File0:::invis

    %% Connections

    Source --> Traces0
    Traces0 --> Sink

Loading

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by tainted-path.

_{You can view more details about this finding in the Semgrep AppSec Platform.}