🛡️ Sentinel: [HIGH] Fix path traversal vulnerability#249
Open
bashandbone wants to merge 1 commit into
Open
🛡️ Sentinel: [HIGH] Fix path traversal vulnerability#249bashandbone wants to merge 1 commit into
bashandbone wants to merge 1 commit into
Conversation
During lexical path normalization, `../` components were handled by blindly calling `components.pop()`. This allowed paths to escape intended root scopes by popping root indicators, or incorrectly simplified paths like `../../foo` into `foo` if the components list was empty. The manual path resolution has been updated to explicitly preserve `..` ascensions and prevent traversal beyond roots. Co-authored-by: bashandbone <89049923+bashandbone@users.noreply.github.com>
Contributor
|
đź‘‹ Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a đź‘€ emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
Contributor
Reviewer's guide (collapsed on small PRs)Reviewer's GuideRefines manual path normalization in the TypeScript dependency extractor to apply correct lexical resolution for File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Hey - I've left some high level feedback:
- The
ParentDirhandling logic in the path normalization branch has become non-trivial; consider extracting it into a small helper function with a brief comment documenting the intended invariants (empty stack, root/prefix boundaries, chained..) to improve readability and future maintenance. - For cross-platform clarity, it might be worth explicitly documenting how the
PrefixandRootDircases behave on Windows (e.g., UNC paths, drive prefixes) since the traversal blocking logic depends on these semantics.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The `ParentDir` handling logic in the path normalization branch has become non-trivial; consider extracting it into a small helper function with a brief comment documenting the intended invariants (empty stack, root/prefix boundaries, chained `..`) to improve readability and future maintenance.
- For cross-platform clarity, it might be worth explicitly documenting how the `Prefix` and `RootDir` cases behave on Windows (e.g., UNC paths, drive prefixes) since the traversal blocking logic depends on these semantics.Help me be more useful! Please click đź‘Ť or đź‘Ž on each comment and I'll use the feedback to improve your reviews.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens the TypeScript dependency extractor’s manual path normalization to avoid incorrectly dropping .. path components, addressing a reported path traversal/incorrect-resolution vulnerability. It also adds a Sentinel entry documenting the issue and prevention guidance.
Changes:
- Update manual
..resolution logic inTypeScriptDependencyExtractor::resolve_module_pathto preserve leading ascensions and prevent popping root boundaries. - Add a
.jules/sentinel.mdentry capturing the vulnerability details and mitigation guidance.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| crates/flow/src/incremental/extractors/typescript.rs | Adjusts lexical handling of ParentDir components during manual path normalization. |
| .jules/sentinel.md | Adds a Sentinel note describing the vulnerability and recommended prevention approach. |
đź’ˇ Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+816
to
+817
| Some(std::path::Component::RootDir) | ||
| | Some(std::path::Component::Prefix(_)) => {} |
Comment on lines
802
to
+815
| // Normalize the path to resolve ../ components | ||
| if let Ok(canonical) = resolved.canonicalize() { | ||
| resolved = canonical; | ||
| } else { | ||
| // If canonicalize fails (file doesn't exist), manually resolve | ||
| let mut components = Vec::new(); | ||
| for component in resolved.components() { | ||
| match component { | ||
| std::path::Component::ParentDir => { | ||
| components.pop(); | ||
| let last = components.last().copied(); | ||
| match last { | ||
| None | Some(std::path::Component::ParentDir) => { | ||
| components.push(component); | ||
| } |
Comment on lines
+1
to
+3
|
|
||
| ## 2024-05-20 - Lexical Path Normalization Traversal Vulnerability | ||
| **Vulnerability:** In `crates/flow/src/incremental/extractors/typescript.rs`, manual path normalization handled `..` components by blindly calling `components.pop()`. |
| @@ -0,0 +1,5 @@ | |||
|
|
|||
| ## 2024-05-20 - Lexical Path Normalization Traversal Vulnerability | |||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🚨 Severity: HIGH
đź’ˇ Vulnerability: In
crates/flow/src/incremental/extractors/typescript.rs, manual path normalization handled..components by blindly callingcomponents.pop(). This effectively meant../components could silently disappear or strip root path components.🎯 Impact: This flaw breaks relative navigation and creates a path traversal vulnerability where ascensions (
..) could escape intended root scopes or incorrectly simplify relative paths, leading to incorrect file access or bypassed path constraints.🔧 Fix: Updated the path canonicalization to properly implement lexical resolution. It now pushes
..if the path is empty or already ends in..(preserving necessary ascensions), ignores..if the path is at a root or prefix boundary (preventing traversal above root), and safely pops otherwise.âś… Verification: Ran unit tests for the TypeScript extractor (
cargo test -p thread-flow --test extractor_typescript_tests) which all pass successfully.PR created automatically by Jules for task 10142149368411894985 started by @bashandbone
Summary by Sourcery
Fix unsafe path normalization in the TypeScript dependency extractor to prevent path traversal and document the vulnerability and its mitigation.
Bug Fixes:
Documentation: