[Phase 1.1.2] Sanitize file download filenames and URLs

## Phase
`Phase 1 — Critical Security` | Track 1.1 — Input Boundary Enforcement | Priority: **P0 HIGH**

## Vulnerability Details
**File:** `operator_use/web/tools/browser.py:272-284`
**CWE:** [CWE-22](https://cwe.mitre.org/data/definitions/22.html), [CWE-20](https://cwe.mitre.org/data/definitions/20.html)

The `download` browser action has three vulnerabilities:
1. **Path traversal in filename** — `filename` can be `../../.bashrc`
2. **No URL scheme validation** — accepts `file://`, `ftp://`, `gopher://`
3. **No size limits** — can cause disk exhaustion

## Fix
- Validate URL scheme (http/https only)
- Sanitize filename with `os.path.basename()`, reject `..`
- Verify resolved download path stays within downloads directory
- Add configurable max download size (default 100MB)
- Check `Content-Length` header before downloading

## Acceptance Criteria
- [ ] URL scheme validated (http/https only)
- [ ] Filename sanitized, path traversal blocked
- [ ] Download size limit enforced
- [ ] Security tests cover all three vectors
- [ ] Guardrail registered in guardrails module

## References
- [CWE-22](https://cwe.mitre.org/data/definitions/22.html)
- [OWASP Unrestricted File Upload](https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload)
- Design Doc: `docs/plans/2026-03-29-security-ai-guardrails-performance-design.md`

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Phase 1.1.2] Sanitize file download filenames and URLs #15

Phase

Vulnerability Details

Fix

Acceptance Criteria

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[Phase 1.1.2] Sanitize file download filenames and URLs #15

Description

Phase

Vulnerability Details

Fix

Acceptance Criteria

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions