Skip to content

πŸ›‘οΈ Sentinel: [CRITICAL] Fix Path Traversal in session storage #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
badMade merged 4 commits into from
Apr 29, 2026
Merged

πŸ›‘οΈ Sentinel: [CRITICAL] Fix Path Traversal in session storage #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
8574ca8
πŸ›‘οΈ Sentinel: [CRITICAL] Fix Path Traversal in session storage
badMade Apr 10, 2026
b4e5be3
Update src/session_store.py
badMade Apr 22, 2026
e2a78cc
πŸ›‘οΈ Sentinel: [CRITICAL] Fix Path Traversal in session storage
badMade Apr 22, 2026
256e404
Merge origin/main into sentinel-path-traversal-9468504043063696261
Copilot Apr 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
## 2024-04-10 - Path Traversal in Session Storage
**Vulnerability:** Path traversal existed in both the Python (`src/session_store.py`) and Rust (`rust/crates/runtime/src/session_control.rs`) implementations because unsanitized `session_id` strings were used directly in file paths.
**Learning:** Both reference implementations lacked central validation logic for system identifiers derived from external/user input.
**Prevention:** Always validate and restrict identifier parameters (like session IDs) by checking for explicit disallow-lists (like path separators `/`, `\`, and directory traversal markers `.`, `..`) before using them in file operations.
39 changes: 34 additions & 5 deletions rust/crates/runtime/src/session_control.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,13 +74,17 @@ impl SessionStore {
&self.workspace_root
}

#[must_use]
pub fn create_handle(&self, session_id: &str) -> SessionHandle {
pub fn create_handle(&self, session_id: &str) -> Result<SessionHandle, SessionControlError> {
if !is_valid_session_id(session_id) {
return Err(SessionControlError::Format(format!(
"Invalid session ID: {session_id}"
)));
}
let id = session_id.to_string();
let path = self
.sessions_root
.join(format!("{id}.{PRIMARY_SESSION_EXTENSION}"));
SessionHandle { id, path }
Ok(SessionHandle { id, path })
Comment thread
badMade marked this conversation as resolved.
}

pub fn resolve_reference(&self, reference: &str) -> Result<SessionHandle, SessionControlError> {
Expand Down Expand Up @@ -116,6 +120,11 @@ impl SessionStore {
}

pub fn resolve_managed_path(&self, session_id: &str) -> Result<PathBuf, SessionControlError> {
if !is_valid_session_id(session_id) {
return Err(SessionControlError::Format(format!(
"Invalid session ID: {session_id}"
)));
}
for extension in [PRIMARY_SESSION_EXTENSION, LEGACY_SESSION_EXTENSION] {
let path = self.sessions_root.join(format!("{session_id}.{extension}"));
if path.exists() {
Expand Down Expand Up @@ -223,7 +232,7 @@ impl SessionStore {
) -> Result<ForkedManagedSession, SessionControlError> {
let parent_session_id = session.session_id.clone();
let forked = session.fork(branch_name);
let handle = self.create_handle(&forked.session_id);
let handle = self.create_handle(&forked.session_id)?;
let branch_name = forked
.fork
.as_ref()
Expand Down Expand Up @@ -343,12 +352,25 @@ pub fn create_managed_session_handle_for(
base_dir: impl AsRef<Path>,
session_id: &str,
) -> Result<SessionHandle, SessionControlError> {
if !is_valid_session_id(session_id) {
return Err(SessionControlError::Format(format!(
"Invalid session ID: {session_id}"
)));
}
let id = session_id.to_string();
let path =
managed_sessions_dir_for(base_dir)?.join(format!("{id}.{PRIMARY_SESSION_EXTENSION}"));
Ok(SessionHandle { id, path })
}

#[must_use]
pub fn is_valid_session_id(session_id: &str) -> bool {
Comment thread
badMade marked this conversation as resolved.
if session_id.is_empty() || session_id == "." || session_id.contains("..") {
return false;
}
!session_id.contains(['/', '\\'])
}
Comment thread
badMade marked this conversation as resolved.
Comment thread
badMade marked this conversation as resolved.

pub fn resolve_session_reference(reference: &str) -> Result<SessionHandle, SessionControlError> {
resolve_session_reference_for(env::current_dir()?, reference)
}
Expand Down Expand Up @@ -397,6 +419,11 @@ pub fn resolve_managed_session_path_for(
base_dir: impl AsRef<Path>,
session_id: &str,
) -> Result<PathBuf, SessionControlError> {
if !is_valid_session_id(session_id) {
return Err(SessionControlError::Format(format!(
"Invalid session ID: {session_id}"
)));
}
let directory = managed_sessions_dir_for(base_dir)?;
for extension in [PRIMARY_SESSION_EXTENSION, LEGACY_SESSION_EXTENSION] {
let path = directory.join(format!("{session_id}.{extension}"));
Expand Down Expand Up @@ -713,7 +740,9 @@ mod tests {
session
.push_user_text(text)
.expect("session message should save");
let handle = store.create_handle(&session.session_id);
let handle = store
.create_handle(&session.session_id)
.expect("handle should create");
let session = session.with_persistence_path(handle.path.clone());
session
.save_to_path(&handle.path)
Expand Down
27 changes: 20 additions & 7 deletions src/session_store.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,23 +13,36 @@ class StoredSession:
output_tokens: int


DEFAULT_SESSION_DIR = Path('.port_sessions')
DEFAULT_SESSION_DIR = Path(".port_sessions")


def validate_session_id(session_id: str) -> None:
if "/" in session_id or "\\" in session_id:
raise ValueError(f"Invalid session ID: contains path separators ({session_id})")
if session_id in (".", ".."):
raise ValueError(f"Invalid session ID: cannot be '.' or '..' ({session_id})")
if ".." in session_id:
raise ValueError(
f"Invalid session ID: contains directory traversal ('..') ({session_id})"
)
Comment thread
badMade marked this conversation as resolved.
Comment thread
badMade marked this conversation as resolved.


def save_session(session: StoredSession, directory: Path | None = None) -> Path:
validate_session_id(session.session_id)
target_dir = directory or DEFAULT_SESSION_DIR
target_dir.mkdir(parents=True, exist_ok=True)
path = target_dir / f'{session.session_id}.json'
path = target_dir / f"{session.session_id}.json"
path.write_text(json.dumps(asdict(session), indent=2))
return path


def load_session(session_id: str, directory: Path | None = None) -> StoredSession:
validate_session_id(session_id)
target_dir = directory or DEFAULT_SESSION_DIR
data = json.loads((target_dir / f'{session_id}.json').read_text())
data = json.loads((target_dir / f"{session_id}.json").read_text())
return StoredSession(
session_id=data['session_id'],
messages=tuple(data['messages']),
input_tokens=data['input_tokens'],
output_tokens=data['output_tokens'],
session_id=data["session_id"],
messages=tuple(data["messages"]),
input_tokens=data["input_tokens"],
output_tokens=data["output_tokens"],
)
Loading