🛡️ Sentinel: [MEDIUM] Fix error handling in SafeStaticFiles

[socialawy-dev]

🚨 Severity: MEDIUM
💡 Vulnerability: The SafeStaticFiles class in src/audioformation/server/app.py intended to block access to sensitive files (like 00_CONFIG and .env). However, the path check p = Path(path).lower() caused an AttributeError because Path objects don't have a .lower() method. This resulted in a 500 error, breaking the file serving and potentially leaking stack traces.
🎯 Impact: While this fails closed (denying access), it acts as a Denial of Service and leaks internal states via stack traces on a 500 error rather than properly handling the check and returning a 403 Forbidden.
🔧 Fix: Modified the path normalization to lowercase the string before passing it into the Path constructor (Path(path.lower())), ensuring the security control executes properly without throwing an unhandled exception. Added explanatory comments.
✅ Verification: Review the code changes in src/audioformation/server/app.py and run the test suite (uv run pytest) to ensure no existing tests or functionalities are broken.

---

PR created automatically by Jules for task 7240115120946685449 started by @socialawy

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[gemini-code-assist]

Code Review

This pull request fixes a Denial of Service vulnerability in the SafeStaticFiles class where an AttributeError was triggered by calling .lower() on a Path object instead of a string. The fix correctly normalizes the path string before instantiation, ensuring that sensitive resources are blocked with a 403 Forbidden response rather than causing a 500 error. Additionally, the .jules/sentinel.md file was updated to document this vulnerability and its prevention. I have no feedback to provide as there were no review comments.

[socialawy]

Superseded by #90 (merged ac23b55). The Sentinel/Jules SafeStaticFiles chain was iterating on the same middleware; #90's Path(str(path).lower()) fix addresses the root AttributeError. Closing as duplicate; re-open if a distinct vulnerability emerges.

[google-labs-jules]

Superseded by #90 (merged ac23b55). The Sentinel/Jules SafeStaticFiles chain was iterating on the same middleware; #90's Path(str(path).lower()) fix addresses the root AttributeError. Closing as duplicate; re-open if a distinct vulnerability emerges.

Understood. Acknowledging that this work is now obsolete and stopping work on this task.