socialawy · socialawy-dev · May 1, 2026 · gemini-code-assist · May 1, 2026
diff --git a/.jules/sentinel.md b/.jules/sentinel.md
@@ -1,4 +1,8 @@
 ## 2025-02-21 - Path Traversal in Mix Endpoint API Parameter
 **Vulnerability:** The `/projects/{project_id}/mix` API endpoint in `src/audioformation/server/routes.py` accepted a `music` parameter (meant to specify a filename within the `05_MUSIC/generated` directory) but directly passed it to `mix_project` without sanitization. This allowed directory traversal payloads like `../../../etc/passwd` to be used for background music resolution.
 **Learning:** Even internal API inputs that map strictly to filenames inside an expected directory must be sanitized. A simple check for file existence (`if not bg_music_path.exists():`) is insufficient as it confirms existence but allows looking outside the bounded directory.
-**Prevention:** Always use established sanitization helpers (like `sanitize_filename`) or bound checks (like `validate_path_within`) for any user-supplied string that forms part of a filesystem path. Ensure bypass parameters like `FORCE_NO_MUSIC` are handled before and mutually exclusively from sanitization.
+**Prevention:** Always use established sanitization helpers (like `sanitize_filename`) or bound checks (like `validate_path_within`) for any user-supplied string that forms part of a filesystem path. Ensure bypass parameters like `FORCE_NO_MUSIC` are handled before and mutually exclusively from sanitization.
+## 2024-05-18 - Path traversal fix and Error leakage mitigation
+**Vulnerability:** SafeStaticFiles incorrectly initialized path objects using `Path(path).lower()`, leading to `AttributeError` bypassing static file filtering. Additionally, upload exception exposed raw exception strings via `raise HTTPException(..., detail=f"Upload failed: {e}")`.
+**Learning:** `Path()` objects do not have a `.lower()` method. Using `p.parts` and `p.name` on a non-existent lowercase string logic bypasses directory filtering (like blocking `00_CONFIG`). Error messages should always log detailed exceptions server-side and provide safe, generic messages to the client.
+**Prevention:** Always convert the string path to lowercase before passing to `Path()` constructor, e.g. `Path(path.lower())`. Log exceptions with `logger.error` or `logger.exception` and raise generic `HTTPException` detail messages.
diff --git a/src/audioformation/server/app.py b/src/audioformation/server/app.py
@@ -24,7 +24,7 @@ class SafeStaticFiles(StaticFiles):
 
     async def get_response(self, path: str, scope) -> Response:
         # Normalize path for check
-        p = Path(path).lower()
+        p = Path(path.lower())
         if "00_config" in p.parts or p.name.startswith(".env") or ".git" in p.parts:
             raise HTTPException(
                 status_code=403, detail="Access denied to sensitive resource"

diff --git a/src/audioformation/server/routes.py b/src/audioformation/server/routes.py
@@ -185,7 +185,8 @@ async def ingest_files(
                 shutil.copyfileobj(file.file, buffer)
     except Exception as e:
         shutil.rmtree(tmp_dir, ignore_errors=True)
-        raise HTTPException(status_code=500, detail=f"Upload failed: {e}")
+        logger.error(f"Upload failed: {e}")
-        logger.error(f"Upload failed: {e}")
+        logger.exception("Upload failed")
-        logger.error(f"Upload failed: {e}")
+        logger.exception("Upload failed")
+        raise HTTPException(status_code=500, detail="Upload failed")
 
     background_tasks.add_task(
         _run_with_status,