π‘οΈ Sentinel: [CRITICAL] Fix path traversal in snapshot commands#39
π‘οΈ Sentinel: [CRITICAL] Fix path traversal in snapshot commands#39bitcoiner-dev wants to merge 1 commit into
Conversation
Implemented a `validate_file_name` function to restrict user-supplied snapshot names strictly to alphanumeric characters, dashes, and underscores. Applied this validation to the Save and Restore commands in `src/commands/snapshot.rs` to ensure input values cannot manipulate `PathBuf::join` via relative or absolute path structures (`../` or `/`), closing a critical arbitrary file write/read vulnerability. Co-authored-by: bitcoiner-dev <75873427+bitcoiner-dev@users.noreply.github.com>
|
π Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a π emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
1 participant
π¨ Severity: CRITICAL
π‘ Vulnerability: Path Traversal in the
Snapshotcommands. The application was interpolating a user-supplied string (name) directly intosnap_dir.join(format!("{name}.json")). Without validation, passing absolute paths (e.g./etc/passwd) or relative upward traversals (e.g.../../../some-file) causedPath::jointo escape the intendedsnap_dirboundary. This permitted arbitrary file read (during Restore) and arbitrary file overwrite (during Save) with application permissions.π― Impact: An attacker could craft a malicious payload (via the CLI argument for a snapshot name) to either read out arbitrary file data (exposing sensitive files like configurations or key material) or overwrite files on the system, leading to privilege escalation or complete system compromise in automated environments.
π§ Fix: Implemented
validate_file_nameinsrc/utils.rswhich applies a strict allowlist constraint on file name parts (alphanumeric,-, and_). Intercepted user input inSnapshotAction::SaveandSnapshotAction::Restoreand applied this validation prior to path joining. Added rigorous unit tests.β Verification: Run
cargo test --bin zinc-clito ensure the validation logic correctly rejects inputs containing../or/separators, and ensures existingSaveandRestoreoperations remain fully functional.PR created automatically by Jules for task 12040537447863696327 started by @bitcoiner-dev