fix: critical security — API auth middleware and path traversal prevention#605
Open
jennniec wants to merge 1 commit into
Open
fix: critical security — API auth middleware and path traversal prevention#605jennniec wants to merge 1 commit into
jennniec wants to merge 1 commit into
Conversation
Two critical issues and several high/medium issues were identified during
a security review of the backend API.
**Critical fixes:**
1. Path traversal (CWE-22): user-supplied `simulation_id`, `report_id`,
and `project_id` values were passed directly to `os.path.join()`
without validation, allowing `../` sequences to escape intended
directories.
- Added `backend/app/utils/id_validator.py` with `validate_safe_id()`
(rejects anything that isn't alphanumeric/underscore/hyphen) and
`safe_join()` (resolves realpath and verifies containment).
- Applied to all 3 path-construction sites in simulation.py, all 12
relevant handlers in report.py, and 6 sites in graph.py.
- Sanitized uploaded filenames with `os.path.basename()` in graph.py.
2. Missing authentication: all API endpoints were publicly accessible
with no auth mechanism.
- Added `backend/app/utils/auth.py` with an `X-Api-Key` middleware
registered as a `before_request` hook.
- Auth is opt-in: set `API_KEY` in `.env` to enforce it; if unset a
startup warning is logged. This preserves local dev workflows.
**High fixes:**
3. Hardcoded `SECRET_KEY` fallback replaced with `os.urandom(32).hex()`
so an unset key is never predictable.
4. `FLASK_DEBUG` now defaults to `False` instead of `True`.
5. Full Python tracebacks removed from all API error responses (51 total
across graph.py, report.py, simulation.py) — tracebacks still go to
the logger.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
dosubot
Bot
added
the
size:L
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
simulation_id,report_id, andproject_idwere passed directly toos.path.join()with no validation, allowing../sequences to escape intended directories.SECRET_KEYfell back to a hardcoded string;FLASK_DEBUGdefaulted toTrue.Changes
backend/app/utils/id_validator.py(new)validate_safe_id()rejects IDs with dots/slashes;safe_join()verifies realpath stays inside base dirbackend/app/utils/auth.py(new)X-Api-Keymiddleware asbefore_requesthookbackend/app/config.pySECRET_KEYusesos.urandomfallback;FLASK_DEBUGdefaultsFalse;API_KEYconfig addedbackend/app/__init__.pyAPI_KEYis unsetbackend/app/api/simulation.pyvalidate_safe_id+safe_joinat 3 path sites; 30 traceback fields removedbackend/app/api/report.pyvalidate_safe_idin 12 route handlers; 17 traceback fields removedbackend/app/api/graph.pyvalidate_safe_idat 6 sites; filename sanitized withos.path.basename; 4 traceback fields removed.env.exampleAPI_KEY,SECRET_KEY,FLASK_DEBUGwith production guidanceEnabling authentication
Set
API_KEYin.env, then includeX-Api-Key: <your-key>on every request. If unset, the app starts normally with a warning (backwards-compatible for local dev).Test plan
API_KEY— all endpoints accessible, startup warning loggedAPI_KEY=test123— requests withoutX-Api-Key: test123return 401GET /healthreturns 200 even without the header (exempted)GET /api/simulation/../../etc/passwdreturns 400 Invalid simulation_idGenerated with Claude Code