fix(security): resolve path-injection CodeQL alerts (#3164)

autobot-backend/agents/npu_code_search_agent.py

@@ -995,6 +995,7 @@ async def _search_file_exact(
             return []
 
         try:
+            file_path = str(validate_path(file_path))
             async with aiofiles.open(
                 file_path, "r", encoding="utf-8", errors="ignore"
             ) as f:
@@ -1069,6 +1070,7 @@ async def _search_file_regex(
             return []
 
         try:
+            file_path = str(validate_path(file_path))
             async with aiofiles.open(
                 file_path, "r", encoding="utf-8", errors="ignore"
             ) as f:
@@ -1177,6 +1179,7 @@ async def _search_file_semantic(
             return []
 
         try:
+            file_path = str(validate_path(file_path))
             async with aiofiles.open(
                 file_path, "r", encoding="utf-8", errors="ignore"
             ) as f:
@@ -1411,6 +1414,7 @@ async def _get_file_context(
     ) -> List[str]:
         """Get context lines around a specific line number"""
         try:
+            file_path = str(validate_path(file_path))
             async with aiofiles.open(
                 file_path, "r", encoding="utf-8", errors="ignore"
             ) as f:

autobot-backend/api/analytics_performance.py

@@ -22,6 +22,7 @@
 from pydantic import BaseModel, Field
 
 from auth_middleware import check_admin_permission
+from autobot_shared.security.path_validator import validate_path
 
 logger = logging.getLogger(__name__)
 
@@ -542,8 +543,10 @@ async def analyze_path(
     """
     start_time = datetime.now()
 
+    # Validate path stays within allowed roots before analysis (#3164)
+    safe_path = validate_path(path)
     # Issue #398: Use extracted helper
-    files_to_analyze = await _get_files_to_analyze(Path(path))
+    files_to_analyze = await _get_files_to_analyze(safe_path)
 
     # Return no_data response if no files to analyze
     if not files_to_analyze:

autobot-backend/api/codebase_analytics/endpoints/environment.py

@@ -467,8 +467,14 @@ async def get_env_recommendations(
             )
 
     # Run fresh analysis if no cache
+    project_root = _get_project_root()
     if not path:
-        path = str(Path(__file__).resolve().parents[4])
+        path = project_root
+
+    error_response = _validate_env_path_security(path, project_root)
+    if error_response:
+        return error_response
+
     return await _fetch_live_env_recommendations(path)
 
 

autobot-backend/services/fast_document_scanner.py

@@ -457,11 +457,21 @@ def get_parsed_man_page(
         Returns:
             ManPageContent with structured sections, or None if failed
         """
+        from autobot_shared.security.path_validator import validate_path
+
         parser = ManPageParser()
 
         try:
+            # Validate path stays within system man directories (#1721)
+            safe_path = validate_path(
+                file_path,
+                allowed_roots=[
+                    "/usr/share/man",
+                    "/usr/local/share/man",
+                ],
+            )
             # Try direct file parsing first (faster)
-            result = parser.parse_man_page(Path(file_path))
+            result = parser.parse_man_page(safe_path)
 
             if result.parse_success:
                 return result