Skip to content

fix: prevent path traversal in zip member validation#396

Open
okyashgajjar wants to merge 1 commit into
imDarshanGK:mainfrom
okyashgajjar:fix/path-traversal-vulnerability
Open

fix: prevent path traversal in zip member validation#396
okyashgajjar wants to merge 1 commit into
imDarshanGK:mainfrom
okyashgajjar:fix/path-traversal-vulnerability

Conversation

@okyashgajjar
Copy link
Copy Markdown

@okyashgajjar okyashgajjar commented May 27, 2026

Description

Fixed a path traversal vulnerability in _safe_zip_name() function in
backend/app/routers/analyze.py. The original function only stripped
leading slashes but did not reject .. path components, allowing
attackers to escape the intended directory and access sensitive files.

Related Issue

Fixes #386

Type of change

  • Bug fix

Checklist

  • I have read CONTRIBUTING.md
  • My branch is up to date with main
  • I have run pytest -v and all tests pass
  • I have not introduced duplicate issues or features
  • My PR title follows the format: fix: prevent path traversal in zip member validation
  • No hardcoded secrets or API keys in my code
  • This PR is linked to a GSSoC 2026 issue

Test evidence

pytest -v
# 93 passed in 3.96s
# Manually Tested the check.

@okyashgajjar okyashgajjar requested a review from imDarshanGK as a code owner May 27, 2026 09:07
@imDarshanGK
Copy link
Copy Markdown
Owner

imDarshanGK commented May 28, 2026

@okyashgajjar
update your branch with the latest main changes

@okyashgajjar okyashgajjar force-pushed the fix/path-traversal-vulnerability branch from 0572323 to 9e7569b Compare May 28, 2026 19:25
@okyashgajjar
Copy link
Copy Markdown
Author

okyashgajjar commented May 28, 2026

Done @imDarshanGK Check this now.

@okyashgajjar okyashgajjar force-pushed the fix/path-traversal-vulnerability branch 2 times, most recently from b4b72b6 to aec4516 Compare May 28, 2026 20:06
@imDarshanGK
Copy link
Copy Markdown
Owner

imDarshanGK commented May 30, 2026

@okyashgajjar update the branch with the latest main changes

@okyashgajjar okyashgajjar force-pushed the fix/path-traversal-vulnerability branch from aec4516 to 9e4ef45 Compare May 30, 2026 10:27
@okyashgajjar
Copy link
Copy Markdown
Author

okyashgajjar commented May 30, 2026

done @imDarshanGK please merge this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@imDarshanGK imDarshanGK Awaiting requested review from imDarshanGK imDarshanGK is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug] Path Traversal Vulnerability in analyze.py

2 participants

@okyashgajjar @imDarshanGK