[security] fix(sessions): validate session_id before deleting session files (#412)

* fix(sessions): validate session_id before deleting files * fix: remove premature session index invalidation before validation check * docs: v0.50.32 release — version badge and CHANGELOG --------- Co-authored-by: hinotoi-agent <paperlantern.agent@gmail.com> Co-authored-by: Nathan Esquenazi <nesquena@gmail.com>
2026-04-13 23:10:46 -07:00
parent 539501ed2b
commit 3cc5839bf3
4 changed files with 35 additions and 2 deletions
--- a/api/routes.py
+++ b/api/routes.py
@@ -724,10 +724,16 @@ def handle_post(handler, parsed) -> bool:
        sid = body.get("session_id", "")
        if not sid:
            return bad(handler, "session_id is required")
+        if not all(c in '0123456789abcdefghijklmnopqrstuvwxyz_' for c in sid):
+            return bad(handler, "Invalid session_id", 400)
        # Delete from WebUI session store
        with LOCK:
            SESSIONS.pop(sid, None)
-        p = SESSION_DIR / f"{sid}.json"
+        try:
+            p = (SESSION_DIR / f"{sid}.json").resolve()
+            p.relative_to(SESSION_DIR.resolve())
+        except Exception:
+            return bad(handler, "Invalid session_id", 400)
        try:
            p.unlink(missing_ok=True)
        except Exception: