🛡️ Sentinel: [CRITICAL] Fix Path Traversal in video API route

[Cukurikik]

🚨 Severity: CRITICAL
💡 Vulnerability: Path traversal vulnerability in src/app/api/video/[tool]/route.ts. The user-provided file.name was being concatenated directly into the output path without sanitization, allowing potential writes outside the /tmp/omni/video directory.
🎯 Impact: Attackers could potentially write arbitrary files or overwrite existing files on the server's filesystem by using relative path segments (e.g., ../../../) in the filename.
🔧 Fix: Sanitized the user-provided filename using path.basename(file.name) and correctly joined the segments using path.join().
✅ Verification: Ran pnpm exec tsc --noEmit and pnpm vitest run to ensure there are no compilation or testing regressions. Visual inspection confirms the filename is properly sanitized before appending it to the base directory.

---

PR created automatically by Jules for task 10186366171341972028 started by @Cukurikik

Summary by CodeRabbit

Bug Fixes

• Improved security for file uploads by preventing potential path traversal attacks.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 76421ff5-06d9-4e14-b460-5185d7650ec6

📥 Commits

Reviewing files that changed from the base of the PR and between 4a0187c and 50fa995.

📒 Files selected for processing (1)

• src/app/api/video/[tool]/route.ts

---

📝 Walkthrough

Walkthrough

The POST handler for the video API endpoint now sanitizes uploaded filenames using path.basename() to prevent path traversal attacks and constructs the temporary input file path using path.join() instead of string interpolation for safer path handling.

Changes

Cohort / File(s)	Summary
File Upload Security src/app/api/video/[tool]/route.ts	Sanitizes uploaded filename with path.basename() and replaces string interpolation with path.join() for constructing the temporary input file path, preventing potential path traversal vulnerabilities.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 Hops through paths with careful feet,
Basename guards what's safe to meet,
No traversal shall slip through,
path.join() keeps routes true!
Security's woven, buggy holes grew few. 🛡️

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title includes non-descriptive elements (emoji and severity tag) but clearly summarizes the main security fix: preventing path traversal vulnerability in the video API route.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sentinel/fix-path-traversal-10186366171341972028

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}