π‘οΈ Sentinel: [CRITICAL] Fix Path Traversal Vulnerability in Profile and Snapshot loading#36
Conversation
β¦nd Snapshot loading π¨ Severity: CRITICAL π‘ Vulnerability: User-provided inputs (`config.profile` and `name` in snapshots) were directly interpolated into file paths (e.g., using `Path::join`) without validation. This allowed path traversal via `../`, enabling an attacker to read or write arbitrary files on the system outside the designated `profiles` or `snapshots` directories. π― Impact: Arbitrary file read/write on the system, potentially leading to unauthorized access, modification, or exposure of sensitive data (like `~/.ssh/id_rsa`, `/etc/passwd`, or other user profiles). π§ Fix: Implemented a strict allowlist validation function (`validate_file_name`) in `src/utils.rs` that ensures file names are non-empty and consist only of alphanumeric characters, underscores, and dashes. Applied this validation to `config.profile` in `src/paths.rs` and snapshot `name` in `src/commands/snapshot.rs` before using them in file path construction. Also added unit tests to verify the validation logic. β Verification: Ensure the unit tests pass by running `cargo test --bin zinc-cli` and verifying `test_validate_file_name_valid` and `test_validate_file_name_invalid` succeed. Co-authored-by: bitcoiner-dev <75873427+bitcoiner-dev@users.noreply.github.com>
|
π Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a π emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
1 participant
π¨ Severity: CRITICAL
π‘ Vulnerability: User-provided inputs (
config.profileandnamein snapshots) were directly interpolated into file paths (e.g., usingPath::join) without validation. This allowed path traversal via../, enabling an attacker to read or write arbitrary files on the system outside the designatedprofilesorsnapshotsdirectories.π― Impact: Arbitrary file read/write on the system, potentially leading to unauthorized access, modification, or exposure of sensitive data (like
~/.ssh/id_rsa,/etc/passwd, or other user profiles).π§ Fix: Implemented a strict allowlist validation function (
validate_file_name) insrc/utils.rsthat ensures file names are non-empty and consist only of alphanumeric characters, underscores, and dashes. Applied this validation toconfig.profileinsrc/paths.rsand snapshotnameinsrc/commands/snapshot.rsbefore using them in file path construction. Also added unit tests to verify the validation logic.β Verification: Ensure the unit tests pass by running
cargo test --bin zinc-cliand verifyingtest_validate_file_name_validandtest_validate_file_name_invalidsucceed.PR created automatically by Jules for task 12832271202230626759 started by @bitcoiner-dev