Summary
lib/server.py serves the entire artifact directory via SimpleHTTPRequestHandler, including the feedback/ subdirectory. The in-page library only needs feedback/history.json (which it polls to detect new walkthroughs); inbox.jsonl (full comment stream) and lastseen.json (per-session bookkeeping) are agent-side state that browser/HTTP clients should not be able to read.
Today, GET /feedback/inbox.jsonl returns the entire comment history with 200 OK.
Impact
Suggested fix
In do_GET, block any path under /feedback/ except history.json. Important: normalize the path first (posixpath.normpath(unquote(path))) so the check isn't bypassed by:
- Dot segments:
/./feedback/inbox.jsonl, /x/../feedback/inbox.jsonl
- Double slashes:
/feedback//inbox.jsonl
- Percent-encoding:
/%66eedback/inbox.jsonl
All four of these resolve to the same file in SimpleHTTPRequestHandler.translate_path, but a naive exact-string check on the raw URL path would let them through.
Summary
lib/server.pyserves the entire artifact directory viaSimpleHTTPRequestHandler, including thefeedback/subdirectory. The in-page library only needsfeedback/history.json(which it polls to detect new walkthroughs);inbox.jsonl(full comment stream) andlastseen.json(per-session bookkeeping) are agent-side state that browser/HTTP clients should not be able to read.Today,
GET /feedback/inbox.jsonlreturns the entire comment history with200 OK.Impact
Suggested fix
In
do_GET, block any path under/feedback/excepthistory.json. Important: normalize the path first (posixpath.normpath(unquote(path))) so the check isn't bypassed by:/./feedback/inbox.jsonl,/x/../feedback/inbox.jsonl/feedback//inbox.jsonl/%66eedback/inbox.jsonlAll four of these resolve to the same file in
SimpleHTTPRequestHandler.translate_path, but a naive exact-string check on the raw URL path would let them through.