[BUG] Search Path Canonicalize Silent Fallback Enables Path Bypass

[EnthusiasticTech]

Project

vgrep

Description

The search function's path canonicalization uses unwrap_or_else(|_| path.to_path_buf()) which silently falls back to the original path when canonicalization fails. Canonicalization can fail for:

• Non-existent paths
• Permission errors
• Symlink loops
• Paths with invalid characters

This silent fallback means malicious or malformed paths are used as-is without any validation.

Error Message

Debug Logs

System Information

Bounty Version: 0.1.0
OS: Ubuntu 24.04 LTS
CPU: AMD EPYC-Genoa Processor (8 cores)
RAM: 15 GB

Screenshots

No response

Steps to Reproduce

1. Create a broken symlink: ln -s /nonexistent/path broken_link
2. Search with the broken symlink as path:

   curl -X POST http://127.0.0.1:7777/search \
     -H 'Content-Type: application/json' \
     -d '{"query":"test","path":"broken_link"}'

3. Observe that path is silently used without canonicalization

Expected Behavior

1. Failed canonicalization should return an error
2. User should be notified that path is invalid
3. Search should not proceed with unvalidated path

Actual Behavior

1. Canonicalization failure caught silently
2. Original (potentially malicious) path used as-is
3. No indication to user that path wasn't validated

Additional Context

Location: src/core/search.rs:43

let abs_path = std::fs::canonicalize(path).unwrap_or_else(|_| path.to_path_buf());

[echobt]

Issue validated. The reported problem has been confirmed in the codebase. A Pull Request with the fix has been submitted: CortexLM/vgrep#69.