From 7984a427c31e088b481a49eceef2b058202a4933 Mon Sep 17 00:00:00 2001 From: "Joseph T. French" Date: Sun, 22 Mar 2026 00:14:48 -0500 Subject: [PATCH] Enhance DuckDBConnectionPool with path validation - Added a defense-in-depth check to ensure the resolved database path remains within the base directory, raising a ValueError if it escapes the intended directory. --- robosystems/graph_api/core/duckdb/pool.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/robosystems/graph_api/core/duckdb/pool.py b/robosystems/graph_api/core/duckdb/pool.py index c72ac66f..0d6a670f 100644 --- a/robosystems/graph_api/core/duckdb/pool.py +++ b/robosystems/graph_api/core/duckdb/pool.py @@ -202,6 +202,10 @@ def _create_new_connection(self, graph_id: str) -> DuckDBConnectionInfo: try: db_path = self._get_database_path(graph_id) + # Defense-in-depth: verify resolved path stays under base_path + if not db_path.resolve().is_relative_to(self.base_path.resolve()): + raise ValueError(f"Path escapes base directory: {db_path}") + # Ensure database directory exists db_path.parent.mkdir(parents=True, exist_ok=True)