[repo-monitor] High: Path traversal via spider.name() — ../sequences write to arbitrary filesystem paths

[Liohtml]

Summary

spider.name() is interpolated directly into filesystem paths for cache and checkpoint directories without sanitization. A spider name containing ../ enables path traversal to write outside the .scrapling/ directory.

Location

• File: src/spiders/engine.rs
• Line(s): 50–60

Severity

High

Details

.unwrap_or_else(|| format!(".scrapling/{}/cache", spider.name()));
.unwrap_or_else(|| format!(".scrapling/{}/checkpoints", spider.name()));

If a spider name contains ../ (e.g., "../../etc/cron.d"), create_dir_all and subsequent file writes would target arbitrary filesystem locations.

Suggested Fix

Sanitize the spider name before use:

let safe_name = spider.name().replace(['/', '\\', '.'], "_");
let dir = format!(".scrapling/{}/cache", safe_name);

Or validate using Path::new(name).components() to ensure no .. or root components.

---

Automated finding by repo-monitor

[Liohtml]

Analysis

Confirmed. src/spiders/engine.rs:50-60 — spider.name() is used directly to construct filesystem paths:

let cache_dir = format!(".scrapling/{}/cache", spider.name());
let checkpoint_dir = format!(".scrapling/{}/checkpoints", spider.name());
std::fs::create_dir_all(&cache_dir)?;

A spider name containing ../ or ../../ would write outside .scrapling/. For example, spider.name() = "../../etc/cron.d" would try to create cron.d/cache/ under /etc/.

Honest risk assessment: Spider names are set by the developer, not by user input — so this is a developer footgun, not an end-user vulnerability. It won't be exploited by a malicious URL being scraped. The risk is an accidental directory name collision or a developer mistake.

That said, it's easy to prevent:

fn sanitize_spider_name(name: &str) -> String {
    name.chars()
        .map(|c| if c.is_alphanumeric() || c == '-' || c == '_' { c } else { '_' })
        .collect()
}

// In engine.rs:
let safe_name = sanitize_spider_name(spider.name());
let cache_dir = format!(".scrapling/{safe_name}/cache");

Or validate at spider construction with a clear error:

fn validate_spider_name(name: &str) -> Result<(), EngineError> {
    if name.contains('/') || name.contains('.') || name.contains('\\') {
        return Err(EngineError::InvalidSpiderName(name.to_string()));
    }
    Ok(())
}

The validation approach is better — it fails loudly at spider creation rather than silently creating an oddly-named directory.

Effort: 15 min.