From 946e2e455fe2279f5fd1035742a582b3d75ad396 Mon Sep 17 00:00:00 2001 From: rcourtman Date: Wed, 12 Nov 2025 16:27:11 +0000 Subject: [PATCH] Security: Fix path traversal vulnerability in host-agent download endpoint CRITICAL SECURITY FIX: The /download/pulse-host-agent endpoint was directly concatenating user-supplied platform and arch query parameters into file paths without validation, allowing path traversal attacks. An attacker could request: /download/pulse-host-agent?platform=../../etc/passwd to read arbitrary files from the container filesystem. Fix: Add input validation to only allow alphanumeric characters and hyphens in platform/arch parameters before using them in file paths. Related: Codex security audit identified this during pre-release review --- internal/api/router.go | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/internal/api/router.go b/internal/api/router.go index a48571f..40f85c1 100644 --- a/internal/api/router.go +++ b/internal/api/router.go @@ -3326,6 +3326,18 @@ func (r *Router) handleDownloadHostAgent(w http.ResponseWriter, req *http.Reques platformParam := strings.TrimSpace(req.URL.Query().Get("platform")) archParam := strings.TrimSpace(req.URL.Query().Get("arch")) + // Validate platform and arch to prevent path traversal attacks + // Only allow alphanumeric characters and hyphens + validPattern := regexp.MustCompile(`^[a-zA-Z0-9\-]+$`) + if platformParam != "" && !validPattern.MatchString(platformParam) { + http.Error(w, "Invalid platform parameter", http.StatusBadRequest) + return + } + if archParam != "" && !validPattern.MatchString(archParam) { + http.Error(w, "Invalid arch parameter", http.StatusBadRequest) + return + } + searchPaths := make([]string, 0, 12) strictMode := platformParam != "" && archParam != ""