Security: download page path traversal allows arbitrary file read #2050
Description
Summary
The standalone download page handler in node/rustchain_download_page.py joins attacker-controlled request paths directly with DOWNLOAD_DIR and opens the resolved path without canonicalization or containment checks.
Current logic:
file_path = self.path.lstrip(/)\nfull_path = os.path.join(DOWNLOAD_DIR, file_path)\n```\n\nBecause traversal segments are not blocked, requests such as `GET /../../etc/passwd` can escape the downloads directory and read arbitrary files accessible to the process.\n\n## Affected component\n\n- `node/rustchain_download_page.py`\n\n## Impact\n\nIf this download page service is reachable, an unauthenticated attacker can read arbitrary local files that the service account can access, including configuration files, source files, and potentially secrets present on disk.\n\n## Suggested fix\n\n- Reject traversal segments early\n- Canonicalize the final path with `os.path.realpath()`\n- Enforce that the resolved path stays within the intended download directory before serving any file\n\nI have a minimal fix prepared and can open a PR immediately.\n\nWallet: RTC1d48d848a5aa5ecf2c5f01aa5fb64837daaf2f35