Skip to content

security: sanitize fetch parameter in /download endpoint using secure_filename (fixes #358)#403

Merged
pradeeban merged 1 commit into
ControlCore-Project:devfrom
GaneshPatil7517:security/secure-fetch-filename
Feb 19, 2026
Merged

security: sanitize fetch parameter in /download endpoint using secure_filename (fixes #358)#403
pradeeban merged 1 commit into
ControlCore-Project:devfrom
GaneshPatil7517:security/secure-fetch-filename

Conversation

@GaneshPatil7517
Copy link
Copy Markdown
Contributor

@GaneshPatil7517 GaneshPatil7517 commented Feb 18, 2026
edited
Loading

Hello pradeeban Sir,

Fixes #358.

This PR improves validation of the fetch parameter in the /download endpoint.

Previously, dir and fetchDir were sanitized, but the fetch value (used as the filename) was passed directly to send_from_directory() without sanitization. This meant a request like:

fetch=../../etc/passwd

could attempt directory traversal.

This change applies secure_filename() to the requested filename before it is used. It also adds a small check to ensure the filename is not empty after sanitization.

Changes in this PR:

  • Applied secure_filename() to download_file
  • Added validation to reject missing or empty filenames
  • Kept the existing endpoint logic and security checks unchanged

Security impact:

  • Prevents directory traversal attempts through the fetch parameter
  • Restricts filenames to safe patterns (e.g. ../../etc/passwd becomes etc_passwd)
  • Blocks empty or invalid filenames with a 400 response

Scope:

  • Single file modified: fri/server/main.py
  • No changes to concore-lite
  • No changes to Verilog code
  • No behavior change for valid requests

Testing done locally:

  • Normal downloads such as fetch=example.txt still work
  • Traversal attempts like fetch=../../etc/passwd are sanitized
  • Empty or invalid filenames return HTTP 400
  • No regressions observed in directory handling

Please review. Thank you.
image

Copilot AI review requested due to automatic review settings February 18, 2026 10:10
Copilot AI reviewed Feb 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a security vulnerability (Issue #358) in the /download endpoint by applying secure_filename() sanitization to the fetch parameter, which was previously passed unsanitized to send_from_directory(). This prevented potential path traversal attacks where malicious users could access files outside the intended directory.

Changes:

  • Applied secure_filename() to sanitize the download_file parameter (derived from fetch)
  • Added validation to reject empty filenames after sanitization
  • Maintained existing security checks for defense-in-depth

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@pradeeban pradeeban merged commit a51d841 into ControlCore-Project:dev Feb 19, 2026
11 of 12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@GaneshPatil7517 @pradeeban