From b5512b97d0f0509771716bc96fe4b030c281bf0a Mon Sep 17 00:00:00 2001
From: "aikido-autofix[bot]"
 <119856028+aikido-autofix[bot]@users.noreply.github.com>
Date: Sat, 9 May 2026 00:26:33 +0000
Subject: [PATCH] fix(security): autofix Path traversal attack possible

---
 crates/tracevault-server/src/api/code.rs | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/crates/tracevault-server/src/api/code.rs b/crates/tracevault-server/src/api/code.rs
index 0f14fd4..f5cf9b3 100644
--- a/crates/tracevault-server/src/api/code.rs
+++ b/crates/tracevault-server/src/api/code.rs
@@ -277,8 +277,13 @@ pub async fn get_tree(
     let target_tree = if query.path.is_empty() || query.path == "/" {
         tree
     } else {
+        // Prevent path traversal attacks by rejecting paths containing '..'.
+        let path = std::path::Path::new(&query.path);
+        if path.components().any(|c| c == std::path::Component::ParentDir) {
+            return Err(AppError::BadRequest(format!("Invalid input: {}", path.display())));
+        }
         let entry = tree
-            .get_path(std::path::Path::new(&query.path))
+            .get_path(path)
             .map_err(|e| AppError::NotFound(format!("Path not found: {e}")))?;
         let obj = entry.to_object(&repo)?;
         obj.into_tree()