🔒 Fix path traversal vulnerability in FileStore (#1310)

[paipeline]

Summary

This PR fixes a critical path traversal security vulnerability in the FileStore.push() method that allows arbitrary file writes outside the intended directory.

Issue

As reported in #1310, the current implementation lacks security validation for file paths, enabling:

• Path traversal attacks using ../../../etc/passwd patterns
• Absolute path injection to write to system files like /etc/passwd
• No content validation or file type restrictions
• Sandbox escape where malicious LLM output can modify sensitive files

Root Cause

In FileStore.push(), user-controlled file names from files.items() were directly passed to:

path = self.working_dir / name  # No validation!

This allows attackers to use path traversal sequences to escape the working directory.

Solution

Security Enhancements

1. Path Validation: New _validate_path() method performs comprehensive security checks
2. Traversal Prevention: Blocks dangerous patterns (../, absolute paths, system directories)
3. Boundary Enforcement: Ensures resolved paths stay within working_dir
4. Extension Allowlist: Optional file type restrictions for additional security
5. Security Logging: Comprehensive logging of blocked attempts

Key Security Checks

• ❌ Block ../, ..\\, ~/, /etc/, /usr/, /var/, /root/, C:\\ patterns
• ❌ Reject absolute paths entirely
• ❌ Validate resolved path stays within working directory boundaries
• ✅ Optional file extension allowlist (backward compatible - default allows all)
• ✅ Comprehensive error messages and logging

Backward Compatibility

• Default behavior preserved: All file extensions allowed unless explicitly restricted
• API unchanged: No breaking changes to public interface
• Error handling improved: More descriptive error messages

Testing

Added comprehensive security test suite (test_file_store_security.py) covering:

• ✅ Path traversal prevention (../../../etc/passwd)
• ✅ Absolute path blocking (/etc/passwd)
• ✅ System directory protection (~/, /usr/, /var/, etc.)
• ✅ File extension allowlist functionality
• ✅ Boundary validation with complex traversal attempts
• ✅ Normal file operations still work correctly

All tests pass ✅

Before/After

Before (Vulnerable):

files = FilesDict({'../../../etc/passwd': 'malicious content'})  
store.push(files)  # 😱 Would write to /etc/passwd!

After (Secure):

files = FilesDict({'../../../etc/passwd': 'malicious content'})
store.push(files)  # 🛡️ Raises ValueError: "Path contains dangerous pattern"

Impact

This is a HIGH SEVERITY security fix that:

• 🔒 Prevents RCE/arbitrary file write vulnerabilities
• 🛡️ Protects against malicious LLM output exploiting path traversal
• ⚡ Maintains full backward compatibility for legitimate use cases
• 📊 Enables security monitoring through logging

References

• Fixes Security Issue: Arbitrary File Write Vulnerability in Code Modification Logic #1310 (Security Issue: Arbitrary File Write Vulnerability)
• Related: OWASP Path Traversal
• Related: CWE-22: Path Traversal

---

Important

Fixes path traversal vulnerability in FileStore.push() by adding path validation and security checks.

• Security Enhancements:
  • Adds _validate_path() in FileStore to validate and sanitize file paths.
  • Blocks path traversal patterns (../, ..\\, ~/, etc.) and absolute paths.
  • Ensures paths resolve within working_dir.
  • Introduces optional file extension allowlist.
  • Logs blocked attempts and errors.
• Testing:
  • Adds test_file_store_security.py with tests for path traversal prevention, absolute path blocking, system directory protection, and file extension allowlist.
  • Tests ensure paths stay within working_dir and handle complex traversal attempts.
  • Verifies normal file operations remain functional.

^{This description was created by for a8902c4. You can customize this summary. It will automatically update as commits are pushed.}

[ellipsis-dev]

Important

Looks good to me! 👍

Reviewed everything up to a8902c4 in 15 seconds. Click for details.

• Reviewed 309 lines of code in 2 files
• Skipped 0 files when reviewing.
• Skipped posting 0 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

Workflow ID: wflow_SwXt6XZGnbxVePGt

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}