🛡️ Sentinel: [CRITICAL] Fix Path Traversal in video upload API

[Cukurikik]

🚨 Severity: CRITICAL
💡 Vulnerability: Path Traversal in the /api/video/[tool]/route.ts endpoint allowed an attacker to supply a file.name containing directory traversal segments (e.g., ../../../etc/passwd), permitting arbitrary file write outside the /tmp/omni/video directory.
🎯 Impact: An attacker could potentially write arbitrary files to the server's filesystem.
🔧 Fix: Sanitized the user-provided file.name using path.basename() to securely extract only the intended file name, and safely constructed the path using path.join().
✅ Verification: Ran unit tests and validated file uploads locally using a PoC script showing that traversed filenames are correctly stripped to base names. Recorded learning in .jules/sentinel.md.

---

PR created automatically by Jules for task 16489355823253958809 started by @Cukurikik

Summary by CodeRabbit

• Bug Fixes
  • Improved filename handling in video uploads to ensure files are reliably written to the intended directory using safer path construction techniques.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b3b5045e-03e8-4a79-9805-07b060285076

📥 Commits

Reviewing files that changed from the base of the PR and between 4a0187c and 5aa8f71.

📒 Files selected for processing (2)

• .jules/sentinel.md
• src/app/api/video/[tool]/route.ts

---

📝 Walkthrough

Walkthrough

A path traversal vulnerability in the video upload API endpoint has been addressed. A Sentinel security entry documents the risk, and the POST handler now sanitizes uploaded filenames using path.basename() and constructs file paths with path.join() instead of string interpolation.

Changes

Cohort / File(s)	Summary
Security Documentation .jules/sentinel.md	Added new Sentinel entry dated 2024-03-25 documenting a path traversal vulnerability in the video upload endpoint caused by unsanitized file.name usage in path construction.
API Route Sanitization src/app/api/video/[tool]/route.ts	Modified POST handler to sanitize uploaded filenames by extracting path.basename(file.name) and constructing the input path using path.join() instead of template string interpolation, mitigating path traversal attacks.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A path was traversing astray,
With ../ trying to lead files away,
But basename() and path.join() stand guard,
Keeping uploads safe—our work isn't hard!
Security hopping through /tmp/omni/video, hooray! 🔒

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main change: fixing a critical path traversal vulnerability in the video upload API. It is specific, clear, and accurately reflects the primary objective of the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-path-traversal-video-api-16489355823253958809

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}