🛡️ Sentinel: [CRITICAL] Fix Path Traversal in ApiFilesGet

.jules/sentinel.md

@@ -0,0 +1,4 @@
+## 2024-10-24 - Fix Path Traversal in ApiFilesGet
+ **Vulnerability:** Path traversal in `api/api_files_get.py` allowed arbitrary file reading outside of the base directory via manipulated input paths (e.g. starting with `/a0/../../`).
+ **Learning:** When converting internal virtual paths to physical paths on the file system, standard normalization handles `..` but can resolve to directories completely outside the expected application root.
+ **Prevention:** Always use a base directory check function (like `files.is_in_base_dir()`) immediately before acting on any user-provided or user-manipulated file path to restrict access boundaries.

api/api_files_get.py

@@ -62,6 +62,11 @@ async def process(self, input: dict, request: Request) -> dict | Response:
                         external_path = path
                         filename = os.path.basename(path)
 
+                    # Security check: ensure path is within base directory to prevent path traversal
+                    if not files.is_in_base_dir(external_path):
+                        PrintStyle.warning(f"Security: Path traversal attempt blocked for path: {path}")
+                        continue
+
                     # Check if file exists
                     if not os.path.exists(external_path):
                         PrintStyle.warning(f"File not found: {path}")