Skip to content

🔒 Unsanitized sandbox ID can lead to path traversal in request URL #260

Description

@asmit25805

🔒 Security · 🟠 High · Confidence: 94%

File: crates/forkd-cli/src/sandbox.rs
Location: delete_sandbox


What's wrong

The sandbox ID is interpolated directly into the request URL without validation, allowing crafted IDs to target arbitrary endpoints. Problematic line: let url = format!("{}/v1/sandboxes/{}", daemon_url.trim_end_matches('/'), id);

Suggested fix

Validate or encode the id to ensure it contains only allowed characters (e.g., alphanumeric and hyphens) before constructing the URL:

if !id.chars().all(|c| c.is_ascii_alphanumeric() || c == '-') {
    anyhow::bail!("invalid sandbox id");
}
let url = format!("{}/v1/sandboxes/{}", daemon_url.trim_end_matches('/'), id);

About this report

This finding was generated by an automated audit tool using Llama 3.3 70B + verification passes.
Only findings with ≥92% confidence that passed both LLM self-verification and line reference
verification are reported. False positives are still possible — please verify before acting.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions