diff --git a/.jules/sentinel.md b/.jules/sentinel.md index 9bd8528..600847d 100644 --- a/.jules/sentinel.md +++ b/.jules/sentinel.md @@ -1,4 +1,4 @@ -## 2025-02-21 - Path Traversal in Mix Endpoint API Parameter -**Vulnerability:** The `/projects/{project_id}/mix` API endpoint in `src/audioformation/server/routes.py` accepted a `music` parameter (meant to specify a filename within the `05_MUSIC/generated` directory) but directly passed it to `mix_project` without sanitization. This allowed directory traversal payloads like `../../../etc/passwd` to be used for background music resolution. -**Learning:** Even internal API inputs that map strictly to filenames inside an expected directory must be sanitized. A simple check for file existence (`if not bg_music_path.exists():`) is insufficient as it confirms existence but allows looking outside the bounded directory. -**Prevention:** Always use established sanitization helpers (like `sanitize_filename`) or bound checks (like `validate_path_within`) for any user-supplied string that forms part of a filesystem path. Ensure bypass parameters like `FORCE_NO_MUSIC` are handled before and mutually exclusively from sanitization. \ No newline at end of file +## 2025-02-24 - Exception Handling in SafeStaticFiles +**Vulnerability:** SafeStaticFiles incorrectly normalizes `path` to lowercase using `p = Path(path).lower()`, but `Path` objects don't have a `.lower()` method. This throws an `AttributeError` instead of handling the security check and raises an unhandled internal error. +**Learning:** Security controls can bypass themselves if they contain runtime bugs that cause unhandled exceptions ("fail open" or unpredictable error responses). String operations must be done before path instantiation, e.g. `Path(str(path).lower())`. +**Prevention:** Always validate that security logic functions fail cleanly or correctly and handle edge-cases and None-type values properly to avoid breaking applications. diff --git a/src/audioformation/server/app.py b/src/audioformation/server/app.py index 9334beb..54243ef 100644 --- a/src/audioformation/server/app.py +++ b/src/audioformation/server/app.py @@ -24,7 +24,7 @@ class SafeStaticFiles(StaticFiles): async def get_response(self, path: str, scope) -> Response: # Normalize path for check - p = Path(path).lower() + p = Path(str(path).lower()) if "00_config" in p.parts or p.name.startswith(".env") or ".git" in p.parts: raise HTTPException( status_code=403, detail="Access denied to sensitive resource"