🛡️ Sentinel: [CRITICAL] Fix Path validation bypass in SafeStaticFiles

.jules/sentinel.md

@@ -1,4 +1,8 @@
 ## 2025-02-21 - Path Traversal in Mix Endpoint API Parameter
 **Vulnerability:** The `/projects/{project_id}/mix` API endpoint in `src/audioformation/server/routes.py` accepted a `music` parameter (meant to specify a filename within the `05_MUSIC/generated` directory) but directly passed it to `mix_project` without sanitization. This allowed directory traversal payloads like `../../../etc/passwd` to be used for background music resolution.
 **Learning:** Even internal API inputs that map strictly to filenames inside an expected directory must be sanitized. A simple check for file existence (`if not bg_music_path.exists():`) is insufficient as it confirms existence but allows looking outside the bounded directory.
-**Prevention:** Always use established sanitization helpers (like `sanitize_filename`) or bound checks (like `validate_path_within`) for any user-supplied string that forms part of a filesystem path. Ensure bypass parameters like `FORCE_NO_MUSIC` are handled before and mutually exclusively from sanitization.
+**Prevention:** Always use established sanitization helpers (like `sanitize_filename`) or bound checks (like `validate_path_within`) for any user-supplied string that forms part of a filesystem path. Ensure bypass parameters like `FORCE_NO_MUSIC` are handled before and mutually exclusively from sanitization.
+## 2024-05-24 - Path AttributeError in SafeStaticFiles
+**Vulnerability:** Unhandled AttributeError when calling `.lower()` on a `Path` object in `SafeStaticFiles`, causing unhandled 500 errors on paths and potentially leaking information or allowing bypasses.
+**Learning:** `Path` objects in Python do not have a `.lower()` method. When dealing with path validation, case normalization must occur on the string representation before `Path` instantiation. Unhandled exceptions in security checks can cause a 'fail open' or 500 error leaking internals.
+**Prevention:** Always use `Path(str(path).lower())` and wrap path-based security validations in `try/except` blocks that fail securely with a generic 400 or 403 HTTP response.

src/audioformation/server/app.py

@@ -24,11 +24,16 @@ class SafeStaticFiles(StaticFiles):
 
     async def get_response(self, path: str, scope) -> Response:
         # Normalize path for check
-        p = Path(path).lower()
-        if "00_config" in p.parts or p.name.startswith(".env") or ".git" in p.parts:
-            raise HTTPException(
-                status_code=403, detail="Access denied to sensitive resource"
-            )
+        try:
+            p = Path(str(path).lower())
+            if "00_config" in p.parts or p.name.startswith(".env") or ".git" in p.parts:
+                raise HTTPException(
+                    status_code=403, detail="Access denied to sensitive resource"
+                )
+        except HTTPException:
+            raise
+        except Exception:
+            raise HTTPException(status_code=400, detail="Invalid path format")
 
         return await super().get_response(path, scope)