🛡️ Sentinel: [CRITICAL] Fix path traversal and validation bypass

[socialawy-dev]

🚨 Severity: CRITICAL
💡 Vulnerability: A path traversal logic bypass existed in validate_path_within which used a string-based startswith check on os.path.abspath before resolving symlinks, allowing bypasses in specific edge cases. Also, SafeStaticFiles.get_response in src/audioformation/server/app.py lacked a None check for paths.
🎯 Impact: Attackers could potentially bypass validation rules in specific configurations where paths match as a prefix string but aren't actually contained.
🔧 Fix: Replaced startswith logic with Path.resolve().is_relative_to() to strictly validate path boundaries using the Pathlib library, ensuring canonical resolution of all symlinks.
✅ Verification: Ran pytest suite ensuring all tests pass, including the security and unit tests.

---

PR created automatically by Jules for task 16345357079722916730 started by @socialawy

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[gemini-code-assist]

Code Review

This pull request enhances security by documenting path traversal vulnerabilities, adding a null check to the static file response handler, and refactoring path validation to use more robust pathlib methods. Feedback identifies a regression in the path validation utility regarding string input handling and points out an invalid version specifier for the ruff dependency in the lock file.

[gemini-code-assist]

The updated implementation of validate_path_within introduces a regression for callers passing path strings instead of Path objects. While the type hints specify Path, the previous implementation used os.path.abspath(str(path)), which supported both types. In the current version, passing a string will cause root.resolve() to raise an AttributeError, which is caught by the except block, resulting in a False return value even for valid paths.

Casting the inputs to Path ensures robustness and maintains backward compatibility with string-based calls.

Suggested change

	resolved_root = root.resolve()
	resolved_path = path.resolve()
	return resolved_path.is_relative_to(resolved_root)
	except (TypeError, ValueError, RuntimeError, AttributeError, OSError):
	resolved_root = Path(root).resolve()
	resolved_path = Path(path).resolve()
	return resolved_path.is_relative_to(resolved_root)
	except (TypeError, ValueError, RuntimeError, AttributeError, OSError):

[gemini-code-assist]

The version specifier for ruff (>=0.15.1) appears to be a typo. As of now, Ruff's versioning is in the 0.4.x range, and there is no version 0.15.1 available on PyPI. This will likely cause dependency resolution to fail. You probably meant 0.1.15 or a more recent version like 0.4.8.