🛡️ Sentinel: Fix critical path traversal and injection vulnerabilities

server.js

@@ -178,7 +178,7 @@
 
   // Additional checks for suspicious patterns
   const suspiciousPatterns = [
     /\x00/,           // Null bytes
     /[<>"|*?]/,       // Dangerous file characters
     /^\//,            // Absolute paths
     /^[a-zA-Z]:\\/,   // Windows absolute paths
@@ -220,6 +220,9 @@
 
     // Validate individual comments
     for (const [file, comment] of Object.entries(comments)) {
+      if (!DiffService.isValidFilePath(file)) {
+        return { valid: false, error: 'Invalid file path in comments' };
+      }
       if (typeof comment !== 'string' || comment.length > 10000) {
         return { valid: false, error: 'Comment too long (max 10,000 characters)' };
       }
@@ -247,7 +250,7 @@
       return { valid: false, error: 'Too many excluded files (max 1000)' };
     }
 
-    if (!excludedFiles.every(f => typeof f === 'string' && f.length < 500)) {
+    if (!excludedFiles.every(f => typeof f === 'string' && f.length < 500 && DiffService.isValidFilePath(f))) {
       return { valid: false, error: 'Invalid excluded file entries' };
     }
   }

services/diffService.js

@@ -133,7 +133,7 @@ class DiffService {
     }
 
     // Prevent dangerous characters that could be used for command injection
-    const dangerousChars = /[;&|`$(){}[\]<>]/;
+    const dangerousChars = /[;&|`$(){}[\]<>'"]/;
     if (dangerousChars.test(filePath)) {
       return false;
     }

src/utils/validation.js

@@ -31,7 +31,7 @@
 
   // Additional checks for suspicious patterns
   const suspiciousPatterns = [
     /\x00/,           // Null bytes
     /[<>"|*?]/,       // Dangerous file characters
     /^\//,            // Absolute paths
     /^[a-zA-Z]:\\/,   // Windows absolute paths
@@ -75,6 +75,9 @@
     }
 
     for (const [file, comment] of Object.entries(comments)) {
+      if (file.includes('..') || file.startsWith('/') || file.includes('\\') || /[;&|`$(){}[\]<>'"]/.test(file)) {
+        return { valid: false, error: 'Invalid file path in comments' };
+      }
       if (typeof comment !== 'string' || comment.length > 10000) {
         return { valid: false, error: 'Comment too long (max 10,000 characters)' };
       }
@@ -102,7 +105,7 @@
       return { valid: false, error: 'Too many excluded files (max 1000)' };
     }
 
-    if (!excludedFiles.every(f => typeof f === 'string' && f.length < 500)) {
+    if (!excludedFiles.every(f => typeof f === 'string' && f.length < 500 && !(f.includes('..') || f.startsWith('/') || f.includes('\\') || /[;&|`$(){}[\]<>'"]/.test(f)))) {
       return { valid: false, error: 'Invalid excluded file entries' };
     }
   }