bug: path traversal in GET /code-sync/drift component query param

[mrveiss]

Summary

GET /code-sync/drift?component=<value> passes the user-supplied component parameter directly into Path(root) / component without any allowlist or boundary check.

Affected files:

• autobot-slm-backend/services/drift_checker.py — get_default_source_dir() / get_default_deployed_dir()
• autobot-slm-backend/api/code_sync.py — /drift endpoint

Reproduction

GET /code-sync/drift?component=../../etc

Path("/opt/autobot/code_source") / "../../etc" resolves to /opt/etc, allowing an authenticated caller to checksum files outside the intended deployed root.

Fix

Add an explicit allowlist of permitted component names (e.g. {"autobot-slm-backend", "autobot-slm-frontend", "autobot-backend"}) in get_default_source_dir / get_default_deployed_dir, and raise HTTPException(400) for any value not in the set. Alternatively, resolve the final path with Path.resolve() and assert it is a subdirectory of the root.

Introduced in

Commit 0dba8915b — feat(slm): add deployed-vs-source drift detection to code-sync (#2834)

[github-actions]

PR #3430 (merged to Dev_new_gui) references this issue with a close keyword.

feat(slm): deployed-vs-source file drift detection (#2834)

If this issue is fully resolved, close it manually. If work remains, no action is needed.

[mrveiss]

Fixed in PR #3430 — added ALLOWED_COMPONENTS frozenset in drift_checker.py and HTTPException(400) guard in the endpoint.