Path Traversal Vulnerability

[AbdullahNamespace]

🔒 [SECURITY] Path Traversal Vulnerability

Priority: 🔴 Critical

Description

The current implementation does not validate file paths, allowing potential path traversal attacks. An attacker could create malicious JSON configs that write files outside the intended project directory.

Vulnerability Details

Current Code (Vulnerable)

// In generator.rs - Line ~80
let full_path = self.output_dir.join(&path);
// No validation! User can provide: "../../../etc/passwd"

Attack Scenario

{
  "project": {
    "name": "malicious_project"
  },
  "files": [
    {
      "path": "../../../home/user/.ssh/authorized_keys",
      "content": "attacker's SSH key here"
    }
  ]
}

Impact

• Severity: Critical
• Attack Vector: Malicious JSON configuration file
• Affected Component: ProjectGenerator::generate()
• Users could:
  • Overwrite system files
  • Write to sensitive directories
  • Escape project sandbox

Proposed Solution

Implementation

// Add to ProjectGenerator impl
fn validate_path(&self, path: &str) -> Result<()> {
    // Check for path traversal patterns
    if path.contains("..") {
        bail!("Path traversal detected: {}", path);
    }
    
    // Check for absolute paths
    if path.starts_with('/') || path.starts_with('\\') {
        bail!("Absolute paths not allowed: {}", path);
    }
    
    // Check for Windows drive letters
    if path.len() >= 2 && path.chars().nth(1) == Some(':') {
        bail!("Drive letters not allowed: {}", path);
    }
    
    Ok(())
}

// Use in generate()
for item in &self.config.directories {
    let (path, condition) = match item {
        DirectoryItem::Simple(p) => (p.clone(), None),
        DirectoryItem::Complex(c) => (c.path.clone(), c.condition.clone()),
    };
    
    // ADD THIS
    self.validate_path(&path)?;
    
    // ... rest of the code
}

Testing

#[cfg(test)]
mod security_tests {
    use super::*;

    #[test]
    fn test_reject_parent_directory() {
        let gen = create_test_generator();
        assert!(gen.validate_path("../etc/passwd").is_err());
    }

    #[test]
    fn test_reject_absolute_path() {
        let gen = create_test_generator();
        assert!(gen.validate_path("/etc/passwd").is_err());
    }

    #[test]
    fn test_accept_safe_path() {
        let gen = create_test_generator();
        assert!(gen.validate_path("src/main.rs").is_ok());
    }
}

References

• [CWE-22: Path Traversal](https://cwe.mitre.org/data/definitions/22.html)
• [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)

Action Items

• Implement validate_path() function
• Add validation to both files and directories processing
• Add comprehensive security tests
• Update documentation with security notice
• Consider adding --allow-absolute-paths flag for advanced users

Environment

• Version: v1.0
• Affected Files: src/generator.rs
• OS: All platforms