[security] Fix critical path traversal in conversations_db.rs by iberi22 · Pull Request #485 · iberi22/xavier

iberi22 · 2026-06-04T06:24:32Z

Sanitize project_id in ConversationsDb::db_path to allow only alphanumeric characters, hyphens, and underscores. Refactored the function to return a Result and use the dirs crate for robust home directory resolution. Consolidated path generation logic in ConnectionManager to use this sanitized path.

Fixes #428

PR created automatically by Jules for task 15548508301093936835 started by @iberi22

…rsations_db.rs - Implemented strict character filtering in db_path (alphanumeric, -, _) - Added defense-in-depth path escape check using canonicalize - Refactored db_path to return Result and use dirs crate - Updated ConnectionManager to use sanitized ConversationsDb::db_path - Added unit tests for sanitization and traversal prevention

google-labs-jules · 2026-06-04T06:24:33Z

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

gemini-code-assist · 2026-06-04T06:24:35Z

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

coderabbitai · 2026-06-04T06:24:39Z

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 322f1708-d7c4-4f87-bdb1-e2f3dffae2f4

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch security/fix-path-traversal-conversations-db-15548508301093936835

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

iberi22 · 2026-06-04T13:52:55Z

Same situation as #494 - too far behind main. The path traversal fix will be re-applied fresh.

google-labs-jules Bot mentioned this pull request Jun 4, 2026

[security] Path traversal critico en conversations_db.rs - sanitizar project_id #428

Closed

iberi22 closed this Jun 4, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[security] Fix critical path traversal in conversations_db.rs#485

[security] Fix critical path traversal in conversations_db.rs#485
iberi22 wants to merge 1 commit into
mainfrom
security/fix-path-traversal-conversations-db-15548508301093936835

iberi22 commented Jun 4, 2026

Uh oh!

google-labs-jules Bot commented Jun 4, 2026

Uh oh!

gemini-code-assist Bot commented Jun 4, 2026

Uh oh!

coderabbitai Bot commented Jun 4, 2026

Review skipped

Uh oh!

iberi22 commented Jun 4, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant