fix: Validate file attachments to prevent reading device files or large files

Author: factorydroid

cortex-cli/src/run_cmd.rs

@@ -346,6 +346,19 @@ impl RunCli {
                 format!("Failed to read file metadata: {}", resolved_path.display())
             })?;
 
+            if !metadata.is_file() && !metadata.is_dir() {
+                bail!(
+                    "File is not a regular file or directory: {}",
+                    file_path.display()
+                );
+            }
+
+            // Max file size check (e.g. 10MB) to prevent OOM
+            const MAX_FILE_SIZE: u64 = 10 * 1024 * 1024;
+            if metadata.len() > MAX_FILE_SIZE {
+                bail!("File too large (max 10MB): {}", file_path.display());
+            }
+
             let filename = resolved_path
                 .file_name()
                 .map(|n| n.to_string_lossy().to_string())