From 0d686465a2dbbea7cf30ed0c884a82fd27090fd4 Mon Sep 17 00:00:00 2001 From: VadlaReddySai Date: Sun, 19 Apr 2026 23:21:52 -0400 Subject: [PATCH] Security fix: Add path validation to analyse_file tool (CWE-22) --- server/gti/gti_mcp/tools/files.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/server/gti/gti_mcp/tools/files.py b/server/gti/gti_mcp/tools/files.py index 6c7c6650..8b4b7ba1 100644 --- a/server/gti/gti_mcp/tools/files.py +++ b/server/gti/gti_mcp/tools/files.py @@ -259,8 +259,15 @@ async def analyse_file(file_path: str, ctx: Context): Returns: The analysis report. """ + import os + resolved = os.path.realpath(os.path.abspath(file_path)) + allowed_dir = os.path.realpath("/tmp/gti-uploads") + if not resolved.startswith(allowed_dir + os.sep): + raise ValueError( + f"Access denied: file_path must be within {allowed_dir}" + ) async with vt_client(ctx) as client: - with open(file_path, "rb") as f: + with open(resolved, "rb") as f: analysis = await client.scan_file_async(file=f) logging.info(f"File {file_path} uploaded.")