[BUG] Path Traversal Vulnerability in Search Path Parameter

[EnthusiasticTech]

Project

vgrep

Description

The search functionality accepts arbitrary paths without validation against path traversal attacks. The path parameter in search requests can contain ../ sequences to escape the intended directory. While canonicalize() is called, it silently falls back to using the original path if canonicalization fails, allowing malicious paths to pass through.

Error Message

Debug Logs

System Information

Bounty Version: 0.1.0
OS: Ubuntu 24.04 LTS
CPU: AMD EPYC-Genoa Processor (8 cores)
RAM: 15 GB

Screenshots

No response

Steps to Reproduce

1. Start vgrep server: vgrep serve
2. Send search request with path traversal:

   curl -X POST http://127.0.0.1:7777/search \
     -H 'Content-Type: application/json' \
     -d '{"query":"secret","path":"../../../etc","limit":10}'

3. Observe that no validation error is returned

Expected Behavior

1. Paths containing ../ should be rejected or sanitized
2. Searches should be restricted to indexed directories only
3. Path traversal attempts should return an error

Actual Behavior

1. Any path is accepted without validation
2. canonicalize() failure silently uses original malicious path
3. If sensitive files were indexed, they could be searched from any context

Additional Context

Location: src/core/search.rs:43

let abs_path = std::fs::canonicalize(path).unwrap_or_else(|_| path.to_path_buf());

Security Impact: High - Could allow searching indexed sensitive files outside intended scope.

[echobt]

Issue validated. The reported problem has been confirmed in the codebase. A Pull Request with the fix has been submitted: CortexLM/vgrep#66.