diff --git a/autobot-backend/agents/npu_code_search_agent.py b/autobot-backend/agents/npu_code_search_agent.py index ef4d6dfdc..8bc5d496c 100644 --- a/autobot-backend/agents/npu_code_search_agent.py +++ b/autobot-backend/agents/npu_code_search_agent.py @@ -995,6 +995,7 @@ async def _search_file_exact( return [] try: + file_path = str(validate_path(file_path)) async with aiofiles.open( file_path, "r", encoding="utf-8", errors="ignore" ) as f: @@ -1069,6 +1070,7 @@ async def _search_file_regex( return [] try: + file_path = str(validate_path(file_path)) async with aiofiles.open( file_path, "r", encoding="utf-8", errors="ignore" ) as f: @@ -1177,6 +1179,7 @@ async def _search_file_semantic( return [] try: + file_path = str(validate_path(file_path)) async with aiofiles.open( file_path, "r", encoding="utf-8", errors="ignore" ) as f: @@ -1411,6 +1414,7 @@ async def _get_file_context( ) -> List[str]: """Get context lines around a specific line number""" try: + file_path = str(validate_path(file_path)) async with aiofiles.open( file_path, "r", encoding="utf-8", errors="ignore" ) as f: diff --git a/autobot-backend/api/analytics_performance.py b/autobot-backend/api/analytics_performance.py index eecf3a802..ff6503789 100644 --- a/autobot-backend/api/analytics_performance.py +++ b/autobot-backend/api/analytics_performance.py @@ -22,6 +22,7 @@ from pydantic import BaseModel, Field from auth_middleware import check_admin_permission +from autobot_shared.security.path_validator import validate_path logger = logging.getLogger(__name__) @@ -542,8 +543,10 @@ async def analyze_path( """ start_time = datetime.now() + # Validate path stays within allowed roots before analysis (#3164) + safe_path = validate_path(path) # Issue #398: Use extracted helper - files_to_analyze = await _get_files_to_analyze(Path(path)) + files_to_analyze = await _get_files_to_analyze(safe_path) # Return no_data response if no files to analyze if not files_to_analyze: diff --git a/autobot-backend/api/codebase_analytics/endpoints/environment.py b/autobot-backend/api/codebase_analytics/endpoints/environment.py index 75a8da698..2b04f113c 100644 --- a/autobot-backend/api/codebase_analytics/endpoints/environment.py +++ b/autobot-backend/api/codebase_analytics/endpoints/environment.py @@ -467,8 +467,14 @@ async def get_env_recommendations( ) # Run fresh analysis if no cache + project_root = _get_project_root() if not path: - path = str(Path(__file__).resolve().parents[4]) + path = project_root + + error_response = _validate_env_path_security(path, project_root) + if error_response: + return error_response + return await _fetch_live_env_recommendations(path) diff --git a/autobot-backend/services/fast_document_scanner.py b/autobot-backend/services/fast_document_scanner.py index e648b88c0..4119582f5 100644 --- a/autobot-backend/services/fast_document_scanner.py +++ b/autobot-backend/services/fast_document_scanner.py @@ -457,11 +457,21 @@ def get_parsed_man_page( Returns: ManPageContent with structured sections, or None if failed """ + from autobot_shared.security.path_validator import validate_path + parser = ManPageParser() try: + # Validate path stays within system man directories (#1721) + safe_path = validate_path( + file_path, + allowed_roots=[ + "/usr/share/man", + "/usr/local/share/man", + ], + ) # Try direct file parsing first (faster) - result = parser.parse_man_page(Path(file_path)) + result = parser.parse_man_page(safe_path) if result.parse_success: return result