🛡️ Sentinel: [CRITICAL] Fix Path Traversal Crash#69
Conversation
Fix AttributeError when instantiating Path on SafeStaticFiles get_response. Co-authored-by: socialawy <24765060+socialawy@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request fixes an AttributeError in the SafeStaticFiles class by correctly lowercasing the path string before creating a Path object. It also adds a corresponding entry to the sentinel documentation. A review comment identifies a potential security bypass where the check for .env files only looks at the filename; it is recommended to check all path components to ensure .env directories are also restricted.
| async def get_response(self, path: str, scope) -> Response: | ||
| # Normalize path for check | ||
| p = Path(path).lower() | ||
| p = Path(path.lower()) |
There was a problem hiding this comment.
While this change correctly fixes the AttributeError by lowercasing the string before creating the Path object, the subsequent security check for .env files (on line 28) only inspects the p.name property. This means that if .env is used as a directory name (e.g., .env/secrets.json), the check will be bypassed because p.name would be secrets.json. To improve the robustness of this hardened class, consider checking if any component of the path starts with .env, similar to how 00_config and .git are checked using p.parts.
socialawy
deleted the
sentinel-fix-path-traversal-crash-4115711445469659799
branch
Understood. Acknowledging that this work is superseded by #90 and stopping work on this task. |
2 participants
🚨 Severity: CRITICAL
💡 Vulnerability: The SafeStaticFiles block logic in
src/audioformation/server/app.pycontained a runtime bug due to callingPath(path).lower(). Python'sPathobjects do not have a.lower()method. This would crash the request processing loop for any file hitting this check with a 500 error instead of a 403 Forbidden. This unhandled exception acts as a Denial of Service and bypasses the directory traversal safeguard.🎯 Impact: Prevents the server from processing requests for sensitive directories correctly. It returns unhandled exceptions which crash requests or may otherwise bypass expected routing paths. It also allows an attacker to spam traversal requests to cause exceptions.
🔧 Fix: Replaced
Path(path).lower()withPath(path.lower()), successfully validating the casing string representation before wrapping it into aPathobject for directory part verification.✅ Verification: Verified by checking if the handler safely routes requests containing
00_configinternally without unhandled exceptions. Checked by running a mock setup of FastAPI andSafeStaticFilesagainst an arbitrary sensitive payload.PR created automatically by Jules for task 4115711445469659799 started by @socialawy