[AAASM-3169] 🔒 (python-sdk): Fix S8707 path-traversal in adapter_validator CLI

[Chisanan232]

Description

Fixes the one open VULNERABILITY on python-sdk master (SonarCloud pythonsecurity:S8707, MAJOR, agent_assembly/cli/adapter_validator.py:189).

aasm adapter validate <path_or_module> flowed a CLI-supplied path straight into Path(...) → open(pyproject_path) with no validation, so a crafted argument (../../..., absolute paths, or a symlinked pyproject.toml) could read arbitrary pyproject.toml files outside the intended adapter directory.

The fix resolve()s the constructed manifest path (collapsing ../symlinks — this breaks Sonar's argv→open() taint flow) and adds a real containment guard: the resolved pyproject.toml's canonical parent must equal the resolved adapter directory, otherwise the manifest is refused rather than read. Legitimate validation of a real adapter dir/module is unchanged.

Per-finding resolution

Finding	File:line	Status	How
pythonsecurity:S8707 path-traversal	agent_assembly/cli/adapter_validator.py:189	Resolved	.resolve() canonicalizes the manifest path before access + containment guard rejecting any pyproject.toml resolving outside the adapter directory

Type of Change

• 🔧 Bug fix

Breaking Changes

• No

A legitimate adapter directory's own pyproject.toml is read exactly as before; only manifests reached by escaping the adapter directory (e.g. an out-of-tree symlink) are now refused.

Related Issues

• Related JIRA ticket: AAASM-3169

Testing

• Unit tests added/updated

Added to TestCheckEntryPointMetadata:

• test_traversal_path_resolved_to_valid_dir — a .. path that canonicalizes back to a real adapter dir still validates (legitimate behaviour preserved).
• test_symlinked_pyproject_outside_dir_rejected — a pyproject.toml symlink escaping the adapter dir is refused, not read (skips on platforms without symlink support).

Test Plan / validation run:

• .venv/bin/python -m pytest test/ → 515 passed, 13 skipped (skips are native _core/optional-framework, pre-existing).
• .venv/bin/pre-commit run --files <changed> → isort, autoflake, black, mypy all Passed.
• .venv/bin/mypy agent_assembly → only pre-existing agent_assembly._core import-not-found errors (native PyO3 ext not built locally); unrelated to this change.
• .venv/bin/ruff check . → pre-existing baseline errors only (ruff is not wired into CI or pre-commit here; the changed files introduce zero new ruff findings, and the lone B009 in this module predates this PR).

Operator safe-ack recommendation

None — this is a real guard that breaks the taint flow; no SonarCloud "Safe" acknowledgement is needed. SonarCloud should clear S8707 on the next scan.

Checklist

• Code follows project style guidelines
• Self-review completed
• Comments added for complex logic
• All tests passing

🤖 Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Chisanan232]

🤖 Claude Code — PR Review

Disclosure: Authored by a sub-agent I orchestrated under the AAASM-3169 fan-out. Reviewing critically — this is a real security fix, so it got the closest look.

1. CI verdict

15/15 green (6 skipped are env-gated e2e/optional-framework). No failures. mergeStateStatus=BLOCKED is the branch-protection review gate.

2. Scope review vs AAASM-3169 — 1/1 resolved

Finding	Resolution
pythonsecurity:S8707 path-traversal adapter_validator.py:189	✅ Fixed with resolve() + containment guard

3. Quality observations (read the diff + reasoning)

• The fix is a real bound, not cosmetic. search_path = Path(path_or_module).resolve() then (search_path / "pyproject.toml").resolve(), followed by a guard rejecting any manifest whose canonical parent ≠ the resolved adapter dir ("…resolves outside the adapter directory; refusing to read it."). resolve() collapses ..//symlinks — which breaks Sonar's argv→open taint flow — and the containment check is a genuine traversal guard. Both halves matter; the agent did both.
• Behaviour preserved + tested. A legitimate adapter dir's own pyproject.toml still reads; a .. path that canonicalizes back inside still validates; a symlink escape is rejected. Two new tests in TestCheckEntryPointMetadata cover the valid-resolved and rejected-escape cases (symlink test skips where unsupported). 515 tests pass.
• CI-honest note: the agent flagged that this repo's CI/pre-commit does not run ruff (master carries 199 baseline ruff findings incl. a pre-existing B009 in this same file), so "ruff clean" can't be met against that baseline — but the changed lines add zero new ruff findings, and mypy/black/isort/pytest are all clean. Correct call to report rather than mask.

4. Verdict

🟢 APPROVED. The one genuinely-serious finding of this batch — a path-traversal in a CLI that takes LLM/operator-supplied paths — fixed correctly with a real guard + regression tests. SonarCloud auto-clears S8707 on next scan.

---

Generated by Claude Code (Opus 4.8, 1M ctx) · scope: CI triage + AAASM-3169 AC verification + taint-fix correctness review