Skip to content

Path Traversal Vulnerability #1

Open
Open
Path Traversal Vulnerability#1
Labels
security
@AbdullahNamespace

Description

@AbdullahNamespace
AbdullahNamespace
opened on Jan 29, 2026

🔒 [SECURITY] Path Traversal Vulnerability

Priority: 🔴 Critical

Description

The current implementation does not validate file paths, allowing potential path traversal attacks. An attacker could create malicious JSON configs that write files outside the intended project directory.

Vulnerability Details

Current Code (Vulnerable)

// In generator.rs - Line ~80
let full_path = self.output_dir.join(&path);
// No validation! User can provide: "../../../etc/passwd"

Attack Scenario

{
  "project": {
    "name": "malicious_project"
  },
  "files": [
    {
      "path": "../../../home/user/.ssh/authorized_keys",
      "content": "attacker's SSH key here"
    }
  ]
}

Impact

  • Severity: Critical
  • Attack Vector: Malicious JSON configuration file
  • Affected Component: ProjectGenerator::generate()
  • Users could:
    • Overwrite system files
    • Write to sensitive directories
    • Escape project sandbox

Proposed Solution

Implementation

// Add to ProjectGenerator impl
fn validate_path(&self, path: &str) -> Result<()> {
    // Check for path traversal patterns
    if path.contains("..") {
        bail!("Path traversal detected: {}", path);
    }
    
    // Check for absolute paths
    if path.starts_with('/') || path.starts_with('\\') {
        bail!("Absolute paths not allowed: {}", path);
    }
    
    // Check for Windows drive letters
    if path.len() >= 2 && path.chars().nth(1) == Some(':') {
        bail!("Drive letters not allowed: {}", path);
    }
    
    Ok(())
}

// Use in generate()
for item in &self.config.directories {
    let (path, condition) = match item {
        DirectoryItem::Simple(p) => (p.clone(), None),
        DirectoryItem::Complex(c) => (c.path.clone(), c.condition.clone()),
    };
    
    // ADD THIS
    self.validate_path(&path)?;
    
    // ... rest of the code
}

Testing

#[cfg(test)]
mod security_tests {
    use super::*;

    #[test]
    fn test_reject_parent_directory() {
        let gen = create_test_generator();
        assert!(gen.validate_path("../etc/passwd").is_err());
    }

    #[test]
    fn test_reject_absolute_path() {
        let gen = create_test_generator();
        assert!(gen.validate_path("/etc/passwd").is_err());
    }

    #[test]
    fn test_accept_safe_path() {
        let gen = create_test_generator();
        assert!(gen.validate_path("src/main.rs").is_ok());
    }
}

References

Action Items

  • Implement validate_path() function
  • Add validation to both files and directories processing
  • Add comprehensive security tests
  • Update documentation with security notice
  • Consider adding --allow-absolute-paths flag for advanced users

Environment

  • Version: v1.0
  • Affected Files: src/generator.rs
  • OS: All platforms

Metadata

Metadata

Assignees

No one assigned

    Labels

    security

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions