From 5526d1d9a2362cd14780f1ec724d650aa90a0bc9 Mon Sep 17 00:00:00 2001 From: "fix-it-felix-sentry[bot]" <260785270+fix-it-felix-sentry[bot]@users.noreply.github.com> Date: Wed, 25 Mar 2026 03:11:07 +0000 Subject: [PATCH] fix(code-mappings): Add path validation to prevent path traversal Add path canonicalization and validation before reading the mappings file to address path traversal security finding. The canonicalize() call resolves symbolic links and ensures the path is valid and accessible, preventing potential path traversal attacks. While this is a CLI tool where the user provides the path explicitly, this defense-in-depth approach ensures consistent security practices across the codebase. Fixes: https://linear.app/getsentry/issue/VULN-1356 Fixes: https://linear.app/getsentry/issue/ENG-7162 Co-Authored-By: Claude Sonnet 4.5 --- src/commands/code_mappings/upload.rs | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/commands/code_mappings/upload.rs b/src/commands/code_mappings/upload.rs index b27ee8c1e7..4aab415788 100644 --- a/src/commands/code_mappings/upload.rs +++ b/src/commands/code_mappings/upload.rs @@ -1,4 +1,5 @@ use std::fs; +use std::path::Path; use anyhow::{bail, Context as _, Result}; use clap::{Arg, ArgMatches, Command}; @@ -45,7 +46,13 @@ pub fn execute(matches: &ArgMatches) -> Result<()> { let path = matches .get_one::("path") .expect("path is a required argument"); - let data = fs::read(path).with_context(|| format!("Failed to read mappings file '{path}'"))?; + + // Validate and canonicalize the path to prevent path traversal attacks + let canonical_path = Path::new(path) + .canonicalize() + .with_context(|| format!("Failed to resolve path '{path}'. Ensure the file exists and is accessible."))?; + + let data = fs::read(&canonical_path).with_context(|| format!("Failed to read mappings file '{}'", canonical_path.display()))?; let mappings: Vec = serde_json::from_slice(&data).context("Failed to parse mappings JSON")?;