🛡️ Sentinel: Fix critical path traversal and injection vulnerabilities

[praxstack]

Severity: HIGH
Vulnerability: The validation for excludedFiles and keys in comments lacked strict file path validation, leaving potential for path traversal or injecting dangerous characters like ' and ". Also, the /api/staged-files endpoint was returning raw file paths without validation, potentially leading to DOM XSS.
Impact: An attacker could perform path traversal to overwrite/read arbitrary files or execute commands if strings were improperly handled further down the pipeline.
Fix:

• Updated DiffService.isValidFilePath to explicitly reject ' and ".
• Filtered /api/staged-files output to only return paths passing DiffService.isValidFilePath.
• Added standalone secure validation checks to validateExportRequest in src/utils/validation.js and server.js.
  Verification: pnpm test successfully completes, verifying existing behavior alongside the stricter checks.

---

PR created automatically by Jules for task 5984145591355289696 started by @praxstack

Summary by CodeRabbit

• Bug Fixes
  • Enhanced file path validation for export requests to reject paths containing invalid characters and patterns
  • Strengthened validation for excluded files to ensure proper formatting and reject unsafe paths
  • Improved filtering of staged files to remove invalid paths; added warning logs when files are filtered out

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

Warning

Rate limit exceeded

@praxstack has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 22 minutes and 8 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 65038f13-7ab8-4236-91cf-1728d7209c27

📥 Commits

Reviewing files that changed from the base of the PR and between c16253b and 601278a.

📒 Files selected for processing (1)

• server.js

📝 Walkthrough

Walkthrough

This pull request strengthens file path validation across export request handling and staged file processing endpoints. Updates introduce path traversal detection, dangerous character filtering (including quotes), and consistent validation logic to reject invalid file paths before processing.

Changes

Cohort / File(s)	Summary
Core Path Validation services/diffService.js	Enhanced isValidFilePath regex to reject single and double quote characters alongside existing dangerous characters.
Server Export & Staging server.js	Added per-item file path validation for comments in export requests; strengthened excludedFiles validation with type, length, and path checks; refined /api/staged-files to filter invalid paths and log warnings.
Validation Logic src/utils/validation.js	Extended validateExportRequest to reject file paths with path traversal patterns (..), leading slashes, backslashes, or dangerous characters; applied same validation to excludedFiles array entries.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Paths now guarded, quotes cast out,
Double-checked with fearless clout!
From '..'' to "/" we defend,
File validation shall not bend.
Security hops, validation prances—safer paths by leaps and dances! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately describes the main change: fixing critical path traversal and injection vulnerabilities in file path validation throughout the codebase.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch jules-5984145591355289696-9b63583f

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}