🛡️ Sentinel: [HIGH] Fix path traversal in auth files handlers#119
🛡️ Sentinel: [HIGH] Fix path traversal in auth files handlers#119
Conversation
…andlers Replaces OS-specific path separator checks with explicit cross-platform `/` and `\` validation in `DownloadAuthFile`, `UploadAuthFile`, and `DeleteAuthFile`. Also moves these checks earlier in the request lifecycle to properly isolate testing logic from required component dependencies (e.g., `authManager`). Co-authored-by: rschumann <360788+rschumann@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
…andlers Replaces OS-specific path separator checks with explicit cross-platform `/` and `\` validation for `name` query parameters in `UploadAuthFile` and `DeleteAuthFile`. Co-authored-by: rschumann <360788+rschumann@users.noreply.github.com>
1 participant
🚨 Severity: HIGH
💡 Vulnerability: Path traversal checks in file handlers used
os.PathSeparator, which allowed attackers to use backslashes (\) to traverse out of restricted directories when running on Linux (where the separator is/). Additionally,UploadAuthFiledid not properly validate paths within multipart form data.🎯 Impact: An attacker could potentially download, delete, or overwrite arbitrary files on the host filesystem by supplying crafted filenames such as
..\..\etc\passwdvia the Management API.🔧 Fix:
strings.Contains(name, string(os.PathSeparator))with explicitstrings.ContainsAny(name, "/\\")across all file handlers for true cross-platform protection.UploadAuthFileandDeleteAuthFileto perform input validation before theauthManager == nilcheck, allowing inputs to fail fast without requiring full system initialization.file.Filenamevalidation inUploadAuthFile.✅ Verification: Unit tests within
auth_files_security_test.gowere updated to run on all platforms, explicitly asserting that backslash traversal attempts are properly rejected with a400 Bad Request. Tested and passed viago test ./internal/api/handlers/management/ -v -run PathTraversal.PR created automatically by Jules for task 13176354521863178677 started by @rschumann