🛡️ Sentinel: [CRITICAL] Fix Path Traversal and SafeStaticFiles AttributeError#63
🛡️ Sentinel: [CRITICAL] Fix Path Traversal and SafeStaticFiles AttributeError#63socialawy-dev wants to merge 1 commit into
Conversation
…uteError Co-authored-by: socialawy <24765060+socialawy@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| return False | ||
| except (ValueError, RuntimeError, OSError): | ||
| resolved_root = root.resolve() |
| return False | ||
| except (ValueError, RuntimeError, OSError): | ||
| resolved_root = root.resolve() | ||
| resolved_path = path.resolve() |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request fixes a bug in SafeStaticFiles where .lower() was incorrectly called on a Path object and simplifies the validate_path_within utility by using is_relative_to for more robust path traversal protection. Documentation in .jules/sentinel.md was also updated to reflect these changes. A review comment suggests improving the security check for sensitive files by ensuring all path components are inspected for .env prefixes, rather than just the filename.
| # Normalize path for check | ||
| p = Path(path).lower() | ||
| p = Path(path.lower()) | ||
| if "00_config" in p.parts or p.name.startswith(".env") or ".git" in p.parts: |
There was a problem hiding this comment.
The current check for .env files only inspects the final component of the path (p.name). While .env is typically a file, it is more robust to check all path components to prevent access to sensitive files within a directory that might start with .env (e.g., .env.backup/secrets.txt). This change would make the .env protection consistent with how .git and 00_config are handled using p.parts.
| if "00_config" in p.parts or p.name.startswith(".env") or ".git" in p.parts: | |
| if "00_config" in p.parts or any(part.startswith(".env") for part in p.parts) or ".git" in p.parts: |
Understood. Acknowledging that this work is now obsolete and stopping work on this task. |
3 participants
🚨 Severity: CRITICAL
💡 Vulnerability:
validate_path_withinrelied on redundant, string-basedos.path.abspathprefix checks which are historically prone to symlink and casing bypasses in varied filesystem setups.SafeStaticFilesmiddleware crashed with a HTTP 500 error due to calling.lower()on aPathobject when resolving static files requests.🎯 Impact:
🔧 Fix:
validate_path_withinto purely rely on Python's canonical and rigorousresolved_path.is_relative_to(resolved_root), removing string checks entirely. Added comprehensive Exception handling block to captureAttributeErrorandTypeErrorfor bad inputs securely.Pathlowercasing bug natively by applying.lower()to the path string before object creation insrc/audioformation/server/app.py.✅ Verification: Ran
pytestensuring 351 pipeline and security tests pass without exposing sensitive 500 stack traces or regressions.PR created automatically by Jules for task 5003228792098342057 started by @socialawy