Fix Critical Directory Traversal Vulnerability

[FortiShield]

User description

Description

Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration

Snapshots:

Include snapshots for easier review.

Checklist:

• My code follows the style guidelines of this project
• I have already rebased the commits and make the commit message conform to the project standard.
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• Any dependent changes have been merged and published in downstream modules

---

PR Type

Bug fix

---

Description

• Fixed a critical directory traversal vulnerability in the document_upload function by sanitizing input paths.
• Added checks to ensure that file paths are within the allowed directory, raising an HTTPException if not.
• Implemented cleanup of temporary files in case of errors during the upload process.
• Used os.path.basename to sanitize space_name and doc_file.filename to prevent malicious path inputs.

---

Changes walkthrough 📝

	Relevant files
Bug fix	api.py Fix directory traversal vulnerability in document upload  gptdb/app/knowledge/api.py Added path sanitization to prevent directory traversal. Introduced HTTPException for invalid path detection. Used os.path.basename to sanitize file and directory names. Implemented cleanup for temporary files in case of exceptions. +65/-48

---

💡 PR-Agent usage: Comment /help "your question" on any pull request to receive relevant information

Summary by CodeRabbit

• New Features

  • Enhanced document upload functionality with improved security measures.

• Bug Fixes

  • Improved error handling for file operations to prevent orphaned files and ensure proper cleanup.

• Refactor

  • Refactored the document upload logic for better input sanitization and path validation.

[sourcery-ai]

Reviewer's Guide by Sourcery

This PR implements security improvements to prevent directory traversal vulnerabilities in the document upload endpoint. The changes focus on proper path sanitization, validation of upload locations, and improved error handling for temporary files.

Sequence diagram for document upload process

sequenceDiagram
    actor User
    participant API as Document Upload API
    participant FS as File System
    participant Service as Knowledge Space Service

    User->>API: POST /knowledge/{space_name}/document/upload
    API->>API: Sanitize inputs (space_name, doc_file.filename)
    API->>FS: Verify and create upload directory
    API->>FS: Create temp file
    API->>FS: Write file content
    API->>FS: Move temp file to target path
    API->>Service: Get knowledge space
    alt Space does not exist
        API->>Service: Create default knowledge space
    end
    API->>Service: Create knowledge document
    API-->>User: Return success or error

Loading

Class diagram for document upload changes

classDiagram
    class DocumentUpload {
        +document_upload(space_name: str, doc_name: str, doc_type: str, doc_file: UploadFile)
        +sanitizeInputs()
        +verifyUploadDirectory()
        +createTempFile()
        +moveFile()
        +handleErrors()
    }

    class KnowledgeDocumentRequest {
        +doc_name: str
        +doc_type: str
        +content: str
    }

    DocumentUpload --> KnowledgeDocumentRequest
    note for DocumentUpload "Handles document upload with security checks"
    note for KnowledgeDocumentRequest "Represents a request to create a knowledge document"

Loading

File-Level Changes

Change	Details	Files
Implemented path sanitization and validation to prevent directory traversal attacks	Added os.path.basename() to sanitize space_name and filename inputs Implemented absolute path resolution and validation against root upload directory Added security check to ensure target path is within allowed upload directory Added HTTP 400 exception for invalid paths	gptdb/app/knowledge/api.py
Improved temporary file handling and error management	Added try-except block specifically for temporary file operations Implemented cleanup of temporary files in case of errors Restructured the code to ensure proper resource cleanup	gptdb/app/knowledge/api.py
Updated variable naming and path construction	Introduced descriptive variable names for paths (upload_dir, target_path) Standardized the use of safe_space_name throughout the function Updated path joining logic to use absolute paths consistently	gptdb/app/knowledge/api.py

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time. You can also use
  this command to specify where the summary should be inserted.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[coderabbitai]

Walkthrough

The changes in the pull request primarily focus on enhancing the document_upload function within the gptdb/app/knowledge/api.py file. Key modifications include improved input sanitization to prevent security vulnerabilities, such as path traversal attacks, and enhanced error handling through the introduction of HTTPException. The function now checks for the existence of the upload directory, constructs safe file paths, and ensures proper cleanup of temporary files in case of errors. Other functions in the file remain unchanged, preserving the overall control flow of the API.

Changes

File Path	Change Summary
gptdb/app/knowledge/api.py	- Enhanced document_upload function with input sanitization and improved error handling. - Added import for HTTPException. - Updated method signature. - Logic for creating directories and handling temporary files made more robust.

Poem

In the land of code where rabbits play,
We’ve tidied up the upload way.
With paths secure and errors tamed,
Our files now dance, unashamed! 🐇✨
So hop along, let’s celebrate,
A safer world we now create!

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[codiumai-pr-agent-free]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 4 🔵🔵🔵🔵⚪

🧪 No relevant tests

🔒 Security concerns Path traversal mitigation: While the code adds protection against directory traversal by using os.path.basename() and path validation, the implementation should be carefully reviewed. The check on line 352 may not catch all malicious path scenarios. Consider using a more robust path sanitization library or implementing additional checks for symbolic links and relative paths. Also verify that KNOWLEDGE_UPLOAD_ROOT_PATH is properly configured with secure permissions.

⚡ Recommended focus areas for review Error Handling The error handling could be improved by providing more specific error messages and status codes for different failure scenarios Path Validation The path validation logic should be reviewed to ensure it properly handles all edge cases like symbolic links and relative paths File Handling The temporary file cleanup could potentially fail silently if the file is locked or has permission issues

[codiumai-pr-agent-free]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Score
Security	✅ Normalize file paths before security checks to prevent path traversal bypass attempts Suggestion Impact: The commit implemented path normalization using os.path.normpath() on both upload_dir and target_path, enhancing security checks against path traversal attacks. code diff: + upload_dir = os.path.normpath(os.path.abspath(os.path.join(KNOWLEDGE_UPLOAD_ROOT_PATH, safe_space_name))) + target_path = os.path.normpath(os.path.abspath(os.path.join(upload_dir, safe_filename))) + + if not upload_dir.startswith(os.path.abspath(KNOWLEDGE_UPLOAD_ROOT_PATH)) or not target_path.startswith(os.path.abspath(KNOWLEDGE_UPLOAD_ROOT_PATH)): Use os.path.normpath() on the target path before checking if it's within KNOWLEDGE_UPLOAD_ROOT_PATH to prevent path normalization bypasses. gptdb/app/knowledge/api.py [352-353] -if not os.path.abspath(KNOWLEDGE_UPLOAD_ROOT_PATH) in target_path: +if not os.path.abspath(KNOWLEDGE_UPLOAD_ROOT_PATH) in os.path.normpath(target_path): raise HTTPException(status_code=400, detail="Invalid path detected") Apply this suggestion Suggestion importance[1-10]: 9 Why: This is a critical security enhancement that prevents path traversal attacks by normalizing paths before validation. Without normalization, attackers could potentially bypass the security check using path sequences like '../'.	9
	Validate file size before processing to prevent memory exhaustion attacks Add file size validation before reading the uploaded file to prevent potential memory issues with large files. gptdb/app/knowledge/api.py [362-363] +max_size = 50 * 1024 * 1024 # 50MB limit +content = await doc_file.read() +if len(content) > max_size: + raise HTTPException(status_code=400, detail="File too large") with os.fdopen(tmp_fd, "wb") as tmp: - tmp.write(await doc_file.read()) + tmp.write(content) Apply this suggestion Suggestion importance[1-10]: 8 Why: Adding file size validation is crucial for preventing denial-of-service attacks through memory exhaustion. This security measure protects the server from processing maliciously large files.	8
Best practice	Use context managers for temporary files to ensure proper cleanup Use a context manager with tempfile.NamedTemporaryFile instead of manual cleanup to ensure temporary files are always removed. gptdb/app/knowledge/api.py [359-363] -tmp_fd, tmp_path = tempfile.mkstemp(dir=upload_dir) -try: - with os.fdopen(tmp_fd, "wb") as tmp: - tmp.write(await doc_file.read()) +with tempfile.NamedTemporaryFile(dir=upload_dir, delete=False) as tmp: + tmp.write(await doc_file.read()) + tmp_path = tmp.name Apply this suggestion Suggestion importance[1-10]: 5 Why: While the current code already includes cleanup in the exception handler, using NamedTemporaryFile with a context manager is a more elegant and safer approach to ensure temporary file cleanup, though not critical since cleanup is already handled.	5

💡 Need additional feedback ? start a PR chat

[sourcery-ai]

Hey @FortiShield - I've reviewed your changes - here's some feedback:

Overall Comments:

• Consider adding security event logging for failed upload attempts and path validation failures to help track potential attacks

Here's what I looked at during the review

• 🟡 General issues: 1 issue found
• 🟡 Security: 1 issue found
• 🟢 Testing: all looks good
• 🟡 Complexity: 1 issue found
• 🟢 Documentation: all looks good

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

🚨 issue (security): Set secure file permissions when creating temporary file

Use mode=0o600 with mkstemp() to ensure temporary files are only readable by the creating user

[sourcery-ai]

suggestion (performance): Implement file size limits and use chunked reading for large files

Reading entire file into memory could cause issues with large files. Consider using a chunked approach with a maximum file size limit

Suggested change

	target_path = os.path.abspath(os.path.join(upload_dir, safe_filename))
	MAX_FILE_SIZE = 50 * 1024 * 1024 # 50MB
	file_size = 0
	with os.fdopen(tmp_fd, "wb") as tmp:
	while chunk := await doc_file.read(8192):
	file_size += len(chunk)
	if file_size > MAX_FILE_SIZE:
	os.unlink(tmp_path)
	raise ValueError("File too large")
	tmp.write(chunk)

[sourcery-ai]

issue (complexity): Consider refactoring the file upload logic into smaller, focused functions with better path handling

The security improvements are valuable but can be implemented more cleanly. Consider:

1. Extract path validation into a utility function
2. Use pathlib.Path for cleaner path handling
3. Use a context manager for temp file handling

Example refactor:

def validate_upload_path(base_path: Path, space_name: str, filename: str) -> Path:
    """Validate and return safe upload path"""
    safe_space = Path(space_name).name  # Sanitize space name
    safe_file = Path(filename).name     # Sanitize filename
    upload_dir = base_path / safe_space
    target_path = upload_dir / safe_file

    if not target_path.is_relative_to(base_path):
        raise HTTPException(status_code=400, detail="Invalid path detected")
    return target_path

@router.post("/knowledge/{space_name}/document/upload")
async def document_upload(
    space_name: str,
    doc_name: str = Form(...),
    doc_type: str = Form(...),
    doc_file: UploadFile = File(...),
):
    if not doc_file:
        return Result.failed(code="E000X", msg="doc_file is None")

    try:
        base_path = Path(KNOWLEDGE_UPLOAD_ROOT_PATH)
        target_path = validate_upload_path(base_path, space_name, doc_file.filename)
        target_path.parent.mkdir(parents=True, exist_ok=True)

        with tempfile.NamedTemporaryFile(dir=target_path.parent, delete=False) as tmp:
            tmp.write(await doc_file.read())
            tmp_path = Path(tmp.name)

        tmp_path.rename(target_path)  # atomic operation

        request = KnowledgeDocumentRequest(
            doc_name=doc_name,
            doc_type=doc_type,
            content=str(target_path)
        )
        # Rest of the space creation logic...

This maintains all security checks while reducing nesting and improving maintainability through:

• Centralized path validation
• Cleaner path handling with pathlib
• Automatic temp file cleanup
• Reduced nesting depth

[sourcery-ai]

issue (code-quality): Raise a specific error instead of the general Exception or BaseException (raise-specific-error)

Explanation

If a piece of code raises a specific exception type rather than the generic [`BaseException`](https://docs.python.org/3/library/exceptions.html#BaseException) or [`Exception`](https://docs.python.org/3/library/exceptions.html#Exception), the calling code can:

• get more information about what type of error it is
• define specific exception handling for it

This way, callers of the code can handle the error appropriately.

How can you solve this?

• Use one of the built-in exceptions of the standard library.
• Define your own error class that subclasses Exception.

So instead of having code raising Exception or BaseException like

if incorrect_input(value):
    raise Exception("The input is incorrect")

you can have code raising a specific error like

if incorrect_input(value):
    raise ValueError("The input is incorrect")

or

class IncorrectInputError(Exception):
    pass


if incorrect_input(value):
    raise IncorrectInputError("The input is incorrect")

[sourcery-ai]

issue (code-quality): We've found these issues:

• Simplify logical expression using De Morgan identities (de-morgan)
• Ensure constant in comparison is on the right (flip-comparison)
• Replace f-string with no interpolated values with string [×2] (remove-redundant-fstring)

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (4)

gptdb/app/knowledge/api.py (4)

6-6: Remove unused import 'pathlib.Path'

The pathlib.Path module is imported but not used in the code. Removing unused imports helps keep the code clean and maintainable.

Apply this diff to remove the unused import:

-import logging
-import os
-import shutil
-import tempfile
-from typing import List
-from pathlib import Path
+import logging
+import os
+import shutil
+import tempfile
+from typing import List

🧰 Tools

🪛 Ruff

6-6: pathlib.Path imported but unused

Remove unused import: pathlib.Path

(F401)

---

377-377: Rewrite condition for better readability

The condition 'if "default" != safe_space_name:' can be rewritten as 'if safe_space_name != "default":' to improve readability.

Apply this diff to adjust the condition:

-if "default" != safe_space_name:
+if safe_space_name != "default":

🧰 Tools

🪛 Ruff

377-377: Yoda condition detected

Rewrite as safe_space_name != "default"

(SIM300)

---

378-378: Correct the grammatical error and remove unnecessary f-string

The exception message contains a grammatical error, and the f-string is unnecessary since no variables are being interpolated. The corrected message should read: "You have not created your knowledge space."

Apply this diff to correct the exception message:

-raise Exception(f"you have not create your knowledge space.")
+raise Exception("You have not created your knowledge space.")

🧰 Tools

🪛 Ruff

378-378: f-string without any placeholders

Remove extraneous f prefix

(F541)

---

397-397: Remove unnecessary f-string prefix

The f-string in the return statement is unnecessary since no variables are being interpolated. Remove the f prefix.

Apply this diff to remove the unnecessary f-string:

-return Result.failed(code="E000X", msg=f"doc_file is None")
+return Result.failed(code="E000X", msg="doc_file is None")

🧰 Tools

🪛 Ruff

397-397: f-string without any placeholders

Remove extraneous f prefix

(F541)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 0882a31 and e227f2a.

📒 Files selected for processing (1)

• gptdb/app/knowledge/api.py (2 hunks)

🧰 Additional context used

🪛 Ruff

gptdb/app/knowledge/api.py

6-6: pathlib.Path imported but unused

Remove unused import: pathlib.Path

(F401)

---

339-339: Do not perform function call File in argument defaults; instead, perform the call within the function, or read the default from a module-level singleton variable

(B008)

---

377-377: Yoda condition detected

Rewrite as safe_space_name != "default"

(SIM300)

---

378-378: f-string without any placeholders

Remove extraneous f prefix

(F541)

---

397-397: f-string without any placeholders

Remove extraneous f prefix

(F541)

[coderabbitai]

⚠️ Potential issue

Use a more secure method for path validation

Using startswith for path validation can be unsafe, as it may be bypassed with crafted inputs. To securely ensure that upload_dir and target_path are within the allowed directory, use os.path.commonpath for comparison.

Apply this diff to enhance path validation:

-if not upload_dir.startswith(os.path.abspath(KNOWLEDGE_UPLOAD_ROOT_PATH)) or not target_path.startswith(os.path.abspath(KNOWLEDGE_UPLOAD_ROOT_PATH)):
+if os.path.commonpath([upload_dir, os.path.abspath(KNOWLEDGE_UPLOAD_ROOT_PATH)]) != os.path.abspath(KNOWLEDGE_UPLOAD_ROOT_PATH) or \
+   os.path.commonpath([target_path, os.path.abspath(KNOWLEDGE_UPLOAD_ROOT_PATH)]) != os.path.abspath(KNOWLEDGE_UPLOAD_ROOT_PATH):
     raise HTTPException(status_code=400, detail="Invalid path detected")

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if not upload_dir.startswith(os.path.abspath(KNOWLEDGE_UPLOAD_ROOT_PATH)) or not target_path.startswith(os.path.abspath(KNOWLEDGE_UPLOAD_ROOT_PATH)):
	raise HTTPException(status_code=400, detail="Invalid path detected")
	if os.path.commonpath([upload_dir, os.path.abspath(KNOWLEDGE_UPLOAD_ROOT_PATH)]) != os.path.abspath(KNOWLEDGE_UPLOAD_ROOT_PATH) or \
	os.path.commonpath([target_path, os.path.abspath(KNOWLEDGE_UPLOAD_ROOT_PATH)]) != os.path.abspath(KNOWLEDGE_UPLOAD_ROOT_PATH):
	raise HTTPException(status_code=400, detail="Invalid path detected")