Skip to content

fix: cora scan security findings (traversal, byte-slice panic, header inject, orphan file)#95

Merged
ajianaz merged 1 commit into
developfrom
fix/cora-scan-security
Jul 8, 2026
Merged

fix: cora scan security findings (traversal, byte-slice panic, header inject, orphan file)#95
ajianaz merged 1 commit into
developfrom
fix/cora-scan-security

Conversation

@ajianaz

@ajianaz ajianaz commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Summary

Addresses the valid security/robustness findings from a cora scan (v0.6.2) of the codebase. Triaged 59 findings down to 4 real issues; false positives left untouched.

Fixed

File Issue Fix
storage.rs Path traversal check used naive contains("..") — both weaker than needed and rejects legit filenames with .. Check Path components (ParentDir / absolute) instead
oauth.rs (×2) &body[..200] panics on multibyte UTF-8 in provider error bodies Char-bounded preview() helper
attachment_routes.rs Content-Disposition: inline; filename="\{user_input\}" — CR/LF → header injection, " → broken header sanitize_filename() (neutralize CR/LF/quote/ctrl, fallback to download)
attachment_routes.rs File saved to disk before DB insert; if insert fails → orphaned file leak Cleanup file on DB-insert failure

Triaged as false positives (not changed)

  • store.rs MAX() in UPDATE — SQLite scalar max(a,b), tests pass
  • store.rs ON CONFLICT — SQLite supports it, tests pass
  • store.rs FTS5 p.rowid — valid implicit rowid column, tests pass
  • auth_routes.rs cookie suffix injection — the = is included in the prefix check, which is the correct mitigation
  • storage_key &id[..0] — empty slice is valid, no panic
  • Dockerfile binary name — the binary is built as rungu ([[bin]] name = "rungu")

Out of scope (separate concerns)

Checklist

  • cargo fmt --check
  • cargo clippy -D warnings
  • cargo test --workspace (91 pass, +2 new)
  • cora review (0 issues)

…eader inject, orphan file)

- storage: resolve_path checks Path components (ParentDir/absolute) instead
  of naive substring; allows legit '..' filenames, blocks traversal
- oauth: char-safe body preview (was &body[..200] → panic on multibyte UTF-8)
- attachment: sanitize Content-Disposition filename (CR/LF/quote/ctrl)
- attachment: clean up orphaned storage file when DB insert fails
- tests: preview multibyte + sanitize_filename
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

🔍 Cora AI Code Review

⚠️ Review recommended — warnings found.

🟡 Warning (1)

  • unknown:? — Cora AI review could not complete: LLM API returned status 401: {"error":"Insufficient balance"}
    . Review was skipped; no code quality issues were found by the automated check.

Review powered by cora-cli · BYOK · MIT

@ajianaz ajianaz merged commit 6099891 into develop Jul 8, 2026
12 checks passed
@ajianaz ajianaz deleted the fix/cora-scan-security branch July 8, 2026 18:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant