🛡️ Sentinel: [MEDIUM] Fix DoS and enhance path validation#66
🛡️ Sentinel: [MEDIUM] Fix DoS and enhance path validation#66socialawy-dev wants to merge 1 commit into
Conversation
- Fixed `AttributeError` in `SafeStaticFiles` middleware by using `Path(path.lower())` instead of `Path(path).lower()`. This prevents a Denial of Service via server crash on static file requests. - Enhanced path validation exception handling in `validate_path_within` by catching `TypeError` and `AttributeError` to fail securely. - Documented findings in `.jules/sentinel.md`. Co-authored-by: socialawy <24765060+socialawy@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request fixes a Denial of Service vulnerability in the SafeStaticFiles middleware by ensuring .lower() is called on the path string rather than the Path object, and updates the sentinel documentation accordingly. It also expands exception handling in the path validation utility. A security improvement was suggested for the path filtering logic to check all path components for sensitive patterns like .env to prevent potential directory-based bypasses.
| # Normalize path for check | ||
| p = Path(path).lower() | ||
| p = Path(path.lower()) | ||
| if "00_config" in p.parts or p.name.startswith(".env") or ".git" in p.parts: |
There was a problem hiding this comment.
The current check using p.name.startswith(".env") only validates the final component of the path. If a directory is named .env (or starts with .env), its contents would not be blocked by this condition (e.g., a request to .env/secrets.json would have p.name == "secrets.json"). To ensure all sensitive resources are blocked regardless of their position in the path hierarchy, it is safer to check all path components using p.parts.
| if "00_config" in p.parts or p.name.startswith(".env") or ".git" in p.parts: | |
| if any(part in ("00_config", ".git") or part.startswith(".env") for part in p.parts): |
socialawy
deleted the
sentinel-fix-dos-and-path-validation-11619480154247741950
branch
Understood. Acknowledging that this work is now obsolete and stopping work on this task. |
2 participants
🚨 Severity: MEDIUM
💡 Vulnerability:
SafeStaticFilesmiddleware crashed with anAttributeErrordue toPath(path).lower()becausePathobjects don't have a.lower()method. This unhandled exception caused the server to crash when resolving requests to static paths.validate_path_withinutility could expose internal stack traces or crash entirely when processing badly malformed paths or receivingNoneinputs, rather than returning securely.🎯 Impact:
🔧 Fix:
src/audioformation/server/app.py, corrected the path instantiation toPath(path.lower())ensuring that the string is converted to lowercase before path object creation.src/audioformation/utils/security.py, updated thevalidate_path_withintry-except block to additionally catchTypeErrorandAttributeError, allowing the function to fail securely and returnFalseon malformed inputs.✅ Verification:
uv run pytest tests/test_security.py --no-cov) and server routing (uv run pytest tests/test_server_routes.py --no-cov), achieving 100% pass rates.Pathinitialization error now behaves as expected without crashing the application flow.PR created automatically by Jules for task 11619480154247741950 started by @socialawy