[security] fix(sessions): validate session_id before deleting session files (#412)

* fix(sessions): validate session_id before deleting files * fix: remove premature session index invalidation before validation check * docs: v0.50.32 release — version badge and CHANGELOG --------- Co-authored-by: hinotoi-agent <paperlantern.agent@gmail.com> Co-authored-by: Nathan Esquenazi <nesquena@gmail.com>
2026-04-13 23:10:46 -07:00
parent 539501ed2b
commit 3cc5839bf3
4 changed files with 35 additions and 2 deletions
--- a/tests/test_sprint3.py
+++ b/tests/test_sprint3.py
@@ -114,6 +114,24 @@ def test_session_delete_requires_session_id():
    result, status = post("/api/session/delete", {})
    assert status == 400

+
+def test_session_delete_rejects_absolute_path_payload(tmp_path):
+    victim = tmp_path / "victim.json"
+    victim.write_text("TOPSECRET", encoding="utf-8")
+    result, status = post("/api/session/delete", {"session_id": str(victim.with_suffix(""))})
+    assert status == 400
+    assert victim.exists(), "absolute-path payload must not delete arbitrary files"
+
+
+def test_session_delete_rejects_traversal_payload(tmp_path):
+    victim = tmp_path / "outside.json"
+    victim.write_text("TOPSECRET", encoding="utf-8")
+    traversal = f"../../../../{victim.with_suffix('').as_posix().lstrip('/')}"
+    result, status = post("/api/session/delete", {"session_id": traversal})
+    assert status == 400
+    assert victim.exists(), "traversal payload must not delete arbitrary files"
+
+
 def test_chat_start_requires_session_id():
    result, status = post("/api/chat/start", {"message": "hello"})
    assert status == 400