Skip to content

security: fix path traversal vulnerability in FRI download endpoint (fixes #262)#315

Merged
pradeeban merged 3 commits intoControlCore-Project:devfrom
GaneshPatil7517:fix/path-traversal-download
Feb 14, 2026
Merged

security: fix path traversal vulnerability in FRI download endpoint (fixes #262)#315
pradeeban merged 3 commits intoControlCore-Project:devfrom
GaneshPatil7517:fix/path-traversal-download

Conversation

@GaneshPatil7517
Copy link

@GaneshPatil7517 GaneshPatil7517 commented Feb 14, 2026

@pradeeban

Summary

This PR resolves Issue #262 by preventing path traversal in the FRI server /download endpoint.

Previously, the fetch parameter was used directly in send_from_directory without sanitization. This allowed directory traversal attacks such as:

/download/test?fetchDir=src&fetch=../../../../etc/passwd

which could expose arbitrary files on the server.

Changes Made

  • Added validation to reject missing fetch parameter (HTTP 400)
  • Normalized requested file path using os.path.normpath
  • Rejected absolute paths (HTTP 400)
  • Blocked .. directory traversal components (HTTP 400)
  • Added final resolved path check to ensure it stays within the intended directory (HTTP 403)
  • Returned proper HTTP error codes for invalid requests

Security Impact

  • Prevents arbitrary file read via path traversal
  • Restricts file access strictly to the intended directory
  • Improves server-side input validation

Scope

  • Single-file modification (fri/server/main.py)
  • No concore-lite changes
  • No Verilog changes
  • No functional change for valid requests

Testing

  • Valid file downloads work as expected
  • Missing fetch parameter → 400
  • ../../etc/passwd traversal → 400
  • URL-encoded ..%2F..%2Fetc%2Fpasswd → 400
  • Absolute paths (C:\Windows\... / /etc/passwd) → 400
  • Backslash traversal (..\..\etc\passwd) → 400

All tests passed locally.

image

Copilot AI review requested due to automatic review settings February 14, 2026 08:04
Copilot AI reviewed Feb 14, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a critical path traversal vulnerability (Issue #262) in the FRI server's /download endpoint that allowed attackers to read arbitrary files on the server. The fix implements multiple layers of validation to ensure requested file paths remain within the intended directory boundaries.

Changes:

  • Added comprehensive path validation including checks for missing parameters, absolute paths, directory traversal sequences, and final boundary verification
  • Imported abort from Flask for proper HTTP error responses
  • Enhanced security through defense-in-depth approach with multiple validation layers

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@pradeeban pradeeban merged commit d9a8337 into ControlCore-Project:dev Feb 14, 2026
6 checks passed
@GaneshPatil7517
Copy link
Author

GaneshPatil7517 commented Feb 14, 2026

thank you @pradeeban please review another PR's also....

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@GaneshPatil7517 @pradeeban