[BUG] [v0.0.7] cortex-snapshot SnapshotStorage path construction uses unsanitized IDs — path traversal via malicious session_id writes arbitrary JSON files outside storage directory

[petar-vasilev]

Project

cortex

Description

cortex-snapshot/src/storage.rs SnapshotStorage uses session_id and snapshot_id directly in path construction without any sanitization:
fn snapshot_path(&self, id: &str) -> PathBuf { self.storage_path.join(format!('{}.json', id)) }
fn history_path(&self, session_id: &str) -> PathBuf { self.storage_path.join(format!('history_{}.json', session_id)) }
If session_id contains '../' sequences (e.g., '../../../etc/cron.d/evil'), the resulting path traverses outside the intended storage directory.
Rust's Path::join() does NOT sanitize '../' components: '/data/snapshot_meta'.join('history_../../etc/cron.d/evil.json') => '/data/snapshot_meta/history_../../etc/cron.d/evil.json' => which resolves to '/etc/cron.d/evil.json' via the OS
ATTACK VECTORS: save_revert_history('../../../etc/cron.d/backdoor', history): writes arbitrary JSON to /etc/cron.d/backdoor.json load_snapshot('../../etc/passwd'): reads /etc/passwd (mapped as serde_json parse error -> file not found)
Cortex processes user-specified session names from API calls or CLI args. If a session name is user-controlled and passed to storage functions, arbitrary files can be written or read outside the snapshot directory.

Error Message

Debug Logs

cortex-snapshot/src/storage.rs:135-142 (UNSANITIZED PATH CONSTRUCTION):
    fn snapshot_path(&self, id: &str) -> PathBuf {
        // BUG: id is directly inserted into path with no sanitization!
        self.storage_path.join(format!("{}.json", id))
    }

    fn history_path(&self, session_id: &str) -> PathBuf {
        // BUG: session_id is directly inserted into path!
        self.storage_path.join(format!("history_{}.json", session_id))
    }

  Rust Path::join() does NOT prevent path traversal:
    PathBuf::from("/data/snapshot_meta")
      .join("history_../../etc/passwd.json")
    == PathBuf::from("/data/snapshot_meta/history_../../etc/passwd.json")

  When the OS resolves this path (open, write, etc.):
    /data/snapshot_meta/history_../../etc/passwd.json
    = /data/etc/passwd.json  (if /data/snapshot_meta -> /data)
    = /etc/passwd.json       (if /data is /, traversal goes above root dir)

    save_revert_history('../../tmp/evil', data)
    -> path = /snapshot_meta/history_../../tmp/evil.json
    -> writes to /tmp/evil.json  (ARBITRARY FILE WRITE!)

System Information

OS: Ubuntu 22.04 LTS  |  Version: v0.0.7

Screenshots

https://github.com/petar-vasilev/screenshots/blob/main/b2c6e89520b542e2bc10151ce3c74000.png

Steps to Reproduce

1. Run: cortex snapshot list --session '../../etc/cron.d/backdoor'
2. cortex session create --name '../../tmp/injected'
3. Cortex creates snapshot, calls save_revert_history('../../tmp/injected', ...)
4. File is written to /tmp/injected.json instead of snapshot_meta/
5. cortex snapshot list --session '../../tmp/injected'
6. File is read from /tmp/injected.json (path traversal read)

Expected Behavior

Sanitize IDs before using them in path construction. The simplest fix is to reject IDs containing path separators:

fn sanitize_id(id: &str) -> Result<()> {
if id.contains('/') || id.contains('\') || id.contains('.') {
// Check for path traversal components:
if Path::new(id).components().any(|c| matches!(c, Component::ParentDir)) {
return Err(SnapshotError::InvalidId(id.to_string()));
}
}
Ok(())
}

fn snapshot_path(&self, id: &str) -> Result {
sanitize_id(id)?;
Ok(self.storage_path.join(format!("{}.json", id)))
}

Or use a hash of the ID as the filename instead of the raw ID:
fn snapshot_path(&self, id: &str) -> PathBuf {
let safe_name = hex::encode(sha256(id.as_bytes()));
self.storage_path.join(format!("{}.json", safe_name))
}

Actual Behavior

cortex-snapshot/src/storage.rs:135-142: Both snapshot_path() and history_path() use the raw id/session_id strings directly in format!() for path construction, without checking for path traversal sequences. Rust's Path::join() allows '../' components. If these IDs are ever derived from user input (session names, message IDs), an attacker can write arbitrary JSON files to any location accessible by the Cortex process.

Additional Context

── Code Evidence ────────────────────────────────────────────────────
cortex-snapshot/src/storage.rs:135-142 (BUG LOCATION)
fn snapshot_path(&self, id: &str) -> PathBuf {
self.storage_path.join(format!("{}.json", id)) // UNSAFE!
}
fn history_path(&self, session_id: &str) -> PathBuf {
self.storage_path.join(format!("history_{}.json", session_id)) // UNSAFE!
}

Rust Path::join() documentation:
'If path is absolute, it replaces the current path.'
'Otherwise, all path components are appended.'
--> '../' is NOT treated as an error, it IS appended and resolved by OS

Note: Path::join() with an ABSOLUTE path (starting with '/') replaces
the entire base path, making it even more severe. So:
save_revert_history('/etc/passwd', ...) writes to /etc/passwd.json

[atlas-cortex]

✅ Validation Summary — Issue #53119

All validation checks passed. 1/17 code rules failed | 1 PENALIZE | 14 LLM instructions active

Confidence Score: 4/5

• All validation checks passed. This submission meets the bounty requirements.

Validation Checks

Check	Status	Detail
Media Evidence	✅ Pass	Evidence found and accessible
Spam Detection	✅ Pass	Score: 0% — no spam signals
Duplicate Detection	✅ Pass	No significant overlap with existing issues
Code Verification	✅ Pass	Bug confirmed in source code (confidence: 100%) — The SnapshotStorage implementation in cortex-snapshot/src/storage.rs uses `i
Edit History	✅ Pass	No suspicious edits
LLM Evaluation	✅ Pass	All validation checks passed. 1/17 code rules failed

Validation Pipeline

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["Issue #53119"] --> B{"Media Check"}
    B -->|"✅ Found"| C{"Spam Check"}
    C -->|"✅ Clean"| D{"Duplicate Check"}
    D -->|"✅ Unique"| CV{"Code Verify"}
    CV -->|"✅ Confirmed"| E{"Edit History"}
    E -->|"✅ Normal"| F{"LLM Evaluation"}
    F -->|"✅ Valid"| G["✅ Approved"]
    style G fill:#51cf66,color:#fff

Loading

Raw Evidence

{
  "media": {
    "hasMedia": true,
    "accessible": true,
    "urls": [
      "https://github.com/petar-vasilev/screenshots/blob/main/b2c6e89520b542e2bc10151ce3c74000.png"
    ],
    "evidence": [
      "Found 1 media URL(s) via markdown parsing",
      "1 URL(s) accessible"
    ]
  },
  "spam": {
    "overallScore": 0,
    "details": "template=0.00 (0 recent issues compared); burst=0.00 (1 issues in 2h window); parity=0.00; overall=0.00 (threshold=0.7)"
  },
  "duplicate": {
    "isDuplicate": false,
    "similarity": 0.5600105674539023,
    "topSimilar": [
      {
        "issueNumber": 52981,
        "title": "[BUG][v0.1.0] Path traversal in `cortex dag` storage: `--id` can escape the DAG base directory",
        "similarity": 0.5600105674539023
      },
      {
        "issueNumber": 52835,
        "title": "[BUG] [v0.0.7] cortex-plugins scaffold functions allow path traversal by joining unvalidated plugin_id into the output path (sdk.rs:323, 1012)",
        "similarity": 0.5459367132947257
      },
      {
        "issueNumber": 52683,
        "title": "[BUG] [v0.0.7] **`cortex github install`**: **`--workflow-name`** path traversal — **write outside** **`.github/workflows/`**",
        "similarity": 0.542362230815836
      },
      {
        "issueNumber": 52545,
        "title": "[BUG] [v0.0.7] `cortex agent install <name>` joins `args.name` into the agents path without rejecting `..` or path separators — can write outside the agents directory",
        "similarity": 0.5343286480429884
      },
      {
        "issueNumber": 52519,
        "title": "[BUG] [v0.0.1] agent install accepts path-traversal names without validation — writes agent file outside agents directory",
        "similarity": 0.5257647715608816
      }
    ]
  },
  "editHistory": {
    "fraudScore": 0,
    "editCount": 0,
    "details": "No edits detected"
  },
  "codeVerification": {
    "plausible": true,
    "confidence": 1,
    "reasoning": "The `SnapshotStorage` implementation in `cortex-snapshot/src/storage.rs` uses `id` and `session_id` directly in `PathBuf::join` without any sanitization. In Rust, `Path::join` does not normalize or sanitize `../` components, meaning an attacker can supply a session ID like `../../tmp/evil` to traverse outside the intended `storage_path` directory. This allows arbitrary file writes (via `save_revert_history`) and reads (via `load_snapshot`) as described in the bug report.",
    "codeEvidence": "    fn snapshot_path(&self, id: &str) -> PathBuf {\n        self.storage_path.join(format!(\"{}.json\", id))\n    }\n\n    fn history_path(&self, session_id: &str) -> PathBuf {\n        self.storage_path\n            .join(format!(\"history_{}.json\", session_id))\n    }",
    "screenshotValid": true,
    "screenshotReasoning": "The screenshot analysis tool returned valid for the provided screenshot URL, indicating it shows a real user-facing bug and not just source code."
  },
  "rules": {
    "codeResults": {
      "passed": [
        {
          "ruleId": "content.no-profanity",
          "category": "content",
          "severity": "flag",
          "passed": true,
          "message": "Issue should not contain excessive profanity or abusive language",
          "weight": 1
        },
        {
          "ruleId": "content.reasonable-length",
          "category": "content",
          "severity": "flag",
          "passed": true,
          "message": "Issue body should not exceed 15000 characters (possible spam dump)",
          "weight": 1
        },
        {
          "ruleId": "content.has-context",
          "category": "content",
          "severity": "penalize",
          "passed": true,
          "message": "Issue should mention the affected page, component, or URL",
          "weight": 0.2
        },
        {
          "ruleId": "media.require-evidence",
          "category": "media",
          "severity": "require",
          "passed": true,
          "message": "Issue must include at least one screenshot or video URL",
          "weight": 1
        },
        {
          "ruleId": "media.must-be-accessible",
          "category": "media",
          "severity": "require",
          "passed": true,
          "message": "All media URLs must be publicly accessible (HTTP 200)",
          "weight": 1
        },
        {
          "ruleId": "media.no-placeholder-urls",
          "category": "media",
          "severity": "reject",
          "passed": true,
          "message": "Media URLs should not be placeholder or example URLs",
          "weight": 1
        },
        {
          "ruleId": "scoring.suspicious-edits",
          "category": "scoring",
          "severity": "penalize",
          "passed": true,
          "message": "Penalize issues with concerning edit history (fraud score > 0.3)",
          "weight": 0.25
        },
        {
          "ruleId": "spam.high-score-reject",
          "category": "spam",
          "severity": "reject",
          "passed": true,
          "message": "Reject issues with spam score above 0.85",
          "weight": 1
        },
        {
          "ruleId": "spam.generic-title",
          "category": "spam",
          "severity": "penalize",
          "passed": true,
          "message": "Title should not be a generic/template title",
          "weight": 0.4
        },
        {
          "ruleId": "spam.body-is-title-repeat",
          "category": "spam",
          "severity": "penalize",
          "passed": true,
          "message": "Body should not be a simple repetition of the title",
          "weight": 0.5
        },
        {
          "ruleId": "spam.no-ai-filler",
          "category": "spam",
          "severity": "flag",
          "passed": true,
          "message": "Body should not contain obvious AI-generated filler phrases",
          "weight": 1
        },
        {
          "ruleId": "validity.min-body-length",
          "category": "validity",
          "severity": "reject",
          "passed": true,
          "message": "Issue body must be at least 50 characters",
          "weight": 1
        },
        {
          "ruleId": "validity.min-title-length",
          "category": "validity",
          "severity": "reject",
          "passed": true,
          "message": "Issue title must be at least 10 characters",
          "weight": 1
        },
        {
          "ruleId": "validity.no-empty-body",
          "category": "validity",
          "severity": "reject",
          "passed": true,
          "message": "Issue body must not be empty or only whitespace",
          "weight": 1
        },
        {
          "ruleId": "validity.has-steps-or-description",
          "category": "validity",
          "severity": "penalize",
          "passed": true,
          "message": "Issue body should contain structured content (steps, expected/actual behavior)",
          "weight": 0.3
        },
        {
          "ruleId": "validity.not-a-feature-request",
          "category": "validity",
          "severity": "flag",
          "passed": true,
          "message": "Issue should describe a bug, not a feature request",
          "weight": 1
        }
      ],
      "failed": [
        {
          "ruleId": "scoring.duplicate-threshold",
          "category": "scoring",
          "severity": "penalize",
          "passed": false,
          "message": "Issue has moderate similarity to existing issues, suggesting partial overlap.",
          "weight": 0.3
        }
      ]
    },
    "llmInstructions": [
      "Always prioritize concrete evidence (screenshots, videos, URLs) over the quality of the written description. A poorly written report with clear visual proof of a bug is VALID. A beautifully written report with no evidence is INVALID.",
      "A valid bug report must contain enough information for an engineer to reproduce the issue. If the steps to reproduce are missing or impossibly vague (\"it just broke\"), the issue is INVALID.",
      "You MUST call the deliver_verdict function exactly once. Do not output a JSON object manually. Do not output your verdict in plain text. Use the tool.",
      "Be highly suspicious of submissions that follow a rigid template: same structure, same phrasing, with only the page name or URL swapped. These are template-farmed and should be INVALID. Look for: identical sentence structure, placeholder-like descriptions, formulaic \"Steps to Reproduce\".",
      "When similar issues exist, the OLDER issue (lower issue number) always takes precedence. The newer submission is the duplicate, never the other way around.",
      "Confidence scores must be calibrated: use 0.9+ only when evidence is unambiguous and complete. Use 0.5-0.7 when the issue is borderline. Use below 0.5 when you are genuinely uncertain. Never default to 0.5 — commit to a direction.",
      "Do not give the benefit of the doubt. Missing evidence means INVALID. Unclear reproduction steps means INVALID. Inaccessible media means INVALID. The burden of proof is on the submitter.",
      "In the reasoning field, explain your step-by-step analysis BEFORE stating your conclusion. Cover: evidence quality, clarity, spam signals, and duplicate overlap in that order.",
      "Never mention internal scoring thresholds, rule IDs, detection heuristics, or system architecture in the recap field. The recap is public-facing. Keep reasoning technical but recap user-friendly.",
      "If the issue body reads like AI-generated boilerplate (phrases like \"It is important to note\", \"Furthermore\", \"In conclusion\", excessive politeness, no specific technical details), treat it as strong evidence of spam. AI-generated issues with no real bug details are INVALID.",
      "If the pre-computed media check says media URLs exist, verify the description matches what a screenshot would show. If the description talks about a login page but the context suggests the screenshot is of something unrelated, flag this as suspicious.",
      "Never soften a verdict out of sympathy. \"I can see you tried hard but...\" is not acceptable. If the submission does not meet criteria, it is INVALID regardless of apparent effort.",
      "Write your reasoning and recap in a professional, neutral tone. Do not be sarcastic, condescending, or emotional. State facts.",
      "The recap field must be 2-3 sentences maximum. It will be posted as a public comment. No bullet points in recap — use flowing prose."
    ],
    "totalCodeRules": 17,
    "totalLLMRules": 14,
    "hasReject": false,
    "hasFailed": true,
    "penaltyScore": 0.3,
    "summary": "1/17 code rules failed | 1 PENALIZE | 14 LLM instructions active"
  }
}

_{Validated by Atlas • 2026-04-10}

[GreyforgeLabs]

Opened upstream PR: CortexLM/cortex-code#384

Patch summary:

• Added snapshot storage ID validation before building metadata paths.
• Rejected snapshot IDs/session IDs that are not a single filename segment, including /, \, NUL, ., .., absolute paths, and nested paths.
• Added tests for snapshot ID traversal, session-history traversal, accepted UUID-like IDs, and rejected path segments.

Validation:

• cargo test -p cortex-snapshot
• cargo check -p cortex-snapshot
• cargo fmt --package cortex-snapshot --check
• git diff --check