Skip to content

Archived bots - status route accepts traversal-style db_path instead of rejecting it #179

Closed
Closed
Archived bots - status route accepts traversal-style db_path instead of rejecting it#179
Labels
bugSomething isn't working

Description

@rapcmia
rapcmia
opened on Jun 18, 2026

Describe the bug

While testing the #178, I checked the archived-bot path traversal protections on the Hummingbot API. A valid archived bot database path worked as expected, but traversal-style and path-style invalid values did not get rejected. When /archived-bots/{db_path}/status was called with values such as ../, /tmp/test, and ..////tmp////x, the API accepted them and attempted to open paths like sqlite:///../, sqlite:////tmp/test, and sqlite:///..////tmp////x instead of failing cleanly with a 400 or 404.

Localhost (#178)

curl -s -u admin:admin "http://localhost:8000/archived-bots/..%2F/status" | jq

{
  "db_path": "../",
  "status": {
    "db_name": "",
    "db_path": "sqlite:///../",
    "trade_fill": "Error - (sqlite3.OperationalError) unable to open database file\n(Background on this error at: https://sqlalche.me/e/20/e3q8)",
    "orders": "Error - (sqlite3.OperationalError) unable to open database file\n(Background on this error at: https://sqlalche.me/e/20/e3q8)",
    "order_status": "Error - (sqlite3.OperationalError) unable to open database file\n(Background on this error at: https://sqlalche.me/e/20/e3q8)",
    "executors": "Error - (sqlite3.OperationalError) unable to open database file\n(Background on this error at: https://sqlalche.me/e/20/e3q8)",
    "controllers": "Error - (sqlite3.OperationalError) unable to open database file\n(Background on this error at: https://sqlalche.me/e/20/e3q8)",
    "positions": "Error - (sqlite3.OperationalError) unable to open database file\n(Background on this error at: https://sqlalche.me/e/20/e3q8)",
    "general_status": false
  },
  "healthy": false
}

Remote HAPI (main branch)

curl -s -u 'loremiptsupm:secrethehe' 'http://X.XX3.XX.34:8000/archived-bots/..%2F/status'

  {
    "db_path": "../",
    "status": {
      "db_path": "sqlite:///../",
      "trade_fill": "Error - (sqlite3.OperationalError) unable to open database file",
      "orders": "Error - (sqlite3.OperationalError) unable to open database file",
      "order_status": "Error - (sqlite3.OperationalError) unable to open database file",
      "executors": "Error - (sqlite3.OperationalError) unable to open database file",
      "controllers": "Error - (sqlite3.OperationalError) unable to open database file",
      "positions": "Error - (sqlite3.OperationalError) unable to open database file",
      "general_status": false
    },
    "healthy": false

We also compared this behavior against an existing HAPI running on the main branch and saw the same result there. This suggests the issue is not limited to the PR, even though it appears to be touching archived-bot path validation. The user-visible problem is that traversal-style input is still treated like a database path instead of being blocked before any filesystem access is attempted.

Steps to reproduce bug

  1. List archived bot databases from /archived-bots/ and confirm the archived-bot routes are available
  2. Call the ff with the sample curl above:
    • /archived-bots/..%2F/status
    • /archived-bots/%2Ftmp%2Ftest/status
    • /archived-bots/..%2F%2F%2F%2Ftmp%2F%2F%2F%2Fx/status with valid API credentials
  3. Confirm the API accepts those invalid path-style values as db_path and returns responses showing filesystem-like sqlite paths instead of rejecting the input with 400 or 404

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions