From 5988ee15453e554489cd85906b5b5ff3b013b802 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Thu, 30 Apr 2026 21:27:03 +0000 Subject: [PATCH] fix: Resolve SafeStaticFiles path validation AttributeError Replaced `Path(path).lower()` with `Path(path.lower())` in `SafeStaticFiles` middleware in `src/audioformation/server/app.py`. `PosixPath` objects do not have a `.lower()` method, leading to 500 errors on requests for static files. Case-insensitivity logic is now properly preserved by lowering the path string prior to creating the Path object. Co-authored-by: socialawy <24765060+socialawy@users.noreply.github.com> --- .jules/sentinel.md | 6 +++++- src/audioformation/server/app.py | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.jules/sentinel.md b/.jules/sentinel.md index 9bd8528..5a748c5 100644 --- a/.jules/sentinel.md +++ b/.jules/sentinel.md @@ -1,4 +1,8 @@ ## 2025-02-21 - Path Traversal in Mix Endpoint API Parameter **Vulnerability:** The `/projects/{project_id}/mix` API endpoint in `src/audioformation/server/routes.py` accepted a `music` parameter (meant to specify a filename within the `05_MUSIC/generated` directory) but directly passed it to `mix_project` without sanitization. This allowed directory traversal payloads like `../../../etc/passwd` to be used for background music resolution. **Learning:** Even internal API inputs that map strictly to filenames inside an expected directory must be sanitized. A simple check for file existence (`if not bg_music_path.exists():`) is insufficient as it confirms existence but allows looking outside the bounded directory. -**Prevention:** Always use established sanitization helpers (like `sanitize_filename`) or bound checks (like `validate_path_within`) for any user-supplied string that forms part of a filesystem path. Ensure bypass parameters like `FORCE_NO_MUSIC` are handled before and mutually exclusively from sanitization. \ No newline at end of file +**Prevention:** Always use established sanitization helpers (like `sanitize_filename`) or bound checks (like `validate_path_within`) for any user-supplied string that forms part of a filesystem path. Ensure bypass parameters like `FORCE_NO_MUSIC` are handled before and mutually exclusively from sanitization. +## 2024-05-24 - Fix SafeStaticFiles path validation AttributeError +**Vulnerability:** The application was throwing an `AttributeError` during static file path validation because it was trying to call `.lower()` on a `Path` object in `src/audioformation/server/app.py` (`Path(path).lower()`). This resulted in an unhandled exception, causing the application to crash or return a 500 error when serving any static files. +**Learning:** `PosixPath` objects do not have a `lower()` method. Path strings should be normalized *before* being passed to `Path()`. This code would fail on the first request for a static file and completely break the frontend or block valid operations. +**Prevention:** Always ensure string operations are performed on string types before casting them to Path objects, and include integration tests that actually make requests to the running application to catch obvious typos in core middleware/routing. diff --git a/src/audioformation/server/app.py b/src/audioformation/server/app.py index 9334beb..5cf513b 100644 --- a/src/audioformation/server/app.py +++ b/src/audioformation/server/app.py @@ -24,7 +24,7 @@ class SafeStaticFiles(StaticFiles): async def get_response(self, path: str, scope) -> Response: # Normalize path for check - p = Path(path).lower() + p = Path(path.lower()) if "00_config" in p.parts or p.name.startswith(".env") or ".git" in p.parts: raise HTTPException( status_code=403, detail="Access denied to sensitive resource"