Skip to content

πŸ›‘οΈ Sentinel: [CRITICAL] Fix Path Traversal in video upload API #141

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Cukurikik wants to merge 1 commit into
base: main
Choose a base branch
from
Open

πŸ›‘οΈ Sentinel: [CRITICAL] Fix Path Traversal in video upload API #141

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,8 @@
**Vulnerability:** Raw error objects from FFmpeg and browser APIs (`error.message` and `console.error`) were being rendered directly in the user interface and browser console.
**Learning:** Returning unhandled exception messages to the client risks exposing internal stack traces, system paths, and unexpected framework vulnerabilities to potential attackers.
**Prevention:** Catch error blocks should log a sanitized version of the error or omit sensitive details, while the state presented to the user should be a generic, friendly, and secure fallback message (e.g. "Processing failed securely").

## 2024-03-25 - Prevent Path Traversal in Server File Uploads
**Vulnerability:** In `src/app/api/video/[tool]/route.ts`, the file upload endpoint used the unsanitized `file.name` to construct the `inputPath` where the server would save the user's file (`${tmpDir}/${crypto.randomUUID()}_${file.name}`). This permitted a Path Traversal vulnerability where an attacker could upload a file with a name containing `../` to write arbitrary files outside the intended `/tmp/omni/video` directory, such as `../../../../../etc/passwd`.
**Learning:** Even if randomizing the start of a file path (using `crypto.randomUUID()`), appending user-controlled input to the end of a path without sanitization still allows the directory segments to traverse up the file tree.
**Prevention:** Always sanitize filenames from user uploads using `path.basename(file.name)` to strip out any directory paths and safely construct paths using `path.join()`.
5 changes: 4 additions & 1 deletion src/app/api/video/[tool]/route.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,7 +126,10 @@ export async function POST(

const tmpDir = `/tmp/omni/video`;
await fs.mkdir(tmpDir, { recursive: true });
const inputPath = `${tmpDir}/${crypto.randomUUID()}_${file.name}`;

// Prevent path traversal by extracting just the filename
const safeFileName = path.basename(file.name);
const inputPath = path.join(tmpDir, `${crypto.randomUUID()}_${safeFileName}`);

// Write file to disk
const arrayBuffer = await file.arrayBuffer();
Expand Down
Loading