diff --git a/.jules/sentinel.md b/.jules/sentinel.md index c1caaeb..7059223 100644 --- a/.jules/sentinel.md +++ b/.jules/sentinel.md @@ -6,3 +6,8 @@ **Vulnerability:** The custom `SafeStaticFiles` middleware in `src/audioformation/server/app.py` intended to block access to sensitive directories (like `00_CONFIG` and `.git`). However, it used `p = Path(path).lower()`, which raises an `AttributeError` because `pathlib.Path` objects lack a `.lower()` method. This effectively broke static file serving entirely (causing 500 errors) and represented a malformed security check. If such errors were ever 'swallowed' without raising an HTTP exception, it could result in 'failing open' and allowing access to sensitive files. **Learning:** Security checks that rely on path manipulation or normalization must be carefully tested for runtime exceptions. An unhandled exception in a security gate can either block legitimate traffic (Denial of Service) or, if caught improperly elsewhere, fail open. Always normalize the string representation of paths before converting them to `Path` objects. **Prevention:** Thoroughly test security middleware endpoints for both valid and invalid access attempts. Ensure that path string normalizations like `.lower()` are applied directly to the string before instantiating `Path(str(path).lower())`. + +## 2025-02-23 - Information Leakage in API Response +**Vulnerability:** The `ingest_files` API endpoint in `src/audioformation/server/routes.py` caught exceptions during file uploads and raised an `HTTPException` containing the explicit string representation of the internal exception `e` in the `detail` field (`detail=f"Upload failed: {e}"`). This is an information leakage vulnerability because an internal exception stack trace or detailed internal system message can be exposed directly to the user (e.g., in a 500 status code response), which violates the secure error message coding standard. +**Learning:** Do not leak unhandled internal `Exception` messages or tracebacks directly into an HTTP response `detail`. +**Prevention:** Catch generic exceptions internally, log the specific error to internal logs (e.g. `logger.exception()`), and return a generic, non-revealing error message to the client (e.g. `detail="Upload failed"`). diff --git a/src/audioformation/server/routes.py b/src/audioformation/server/routes.py index 34c9bec..d9eef39 100644 --- a/src/audioformation/server/routes.py +++ b/src/audioformation/server/routes.py @@ -184,8 +184,9 @@ async def ingest_files( with open(dest, "wb") as buffer: shutil.copyfileobj(file.file, buffer) except Exception as e: + logger.exception(f"Upload failed for project {project_id}: {e}") shutil.rmtree(tmp_dir, ignore_errors=True) - raise HTTPException(status_code=500, detail=f"Upload failed: {e}") + raise HTTPException(status_code=500, detail="Upload failed") background_tasks.add_task( _run_with_status, diff --git a/uv.lock b/uv.lock index e34eac4..7970295 100644 --- a/uv.lock +++ b/uv.lock @@ -270,7 +270,7 @@ requires-dist = [ { name = "jsonschema", specifier = ">=4.21,<5" }, { name = "midiutil", marker = "extra == 'midi'", specifier = ">=1.2,<2" }, { name = "mutagen", marker = "extra == 'm4b'", specifier = ">=1.47,<2" }, - { name = "mypy", marker = "extra == 'dev'", specifier = ">=1.0,<2" }, + { name = "mypy", marker = "extra == 'dev'", specifier = ">=1.0,<3" }, { name = "numpy", specifier = ">=1.26,<3" }, { name = "pre-commit", marker = "extra == 'dev'", specifier = ">=3.6,<5" }, { name = "pydub", specifier = ">=0.25,<1" }, @@ -280,7 +280,7 @@ requires-dist = [ { name = "pytest-cov", marker = "extra == 'dev'", specifier = ">=4.0,<8" }, { name = "python-dotenv", marker = "extra == 'cloud'", specifier = ">=1.0,<2" }, { name = "python-multipart", marker = "extra == 'server'", specifier = ">=0.0.27,<1" }, - { name = "ruff", marker = "extra == 'dev'", specifier = ">=0.1.9" }, + { name = "ruff", marker = "extra == 'dev'", specifier = ">=0.15.1" }, { name = "silero-vad", marker = "extra == 'vad'", specifier = ">=6.0,<7" }, { name = "soundfile", specifier = ">=0.12,<1" }, { name = "transformers", specifier = ">=4.44,<6" },