Skip to content

fix(agent): validate request path before forwarding to ExApp#105

Merged
oleksandr-nc merged 1 commit into
mainfrom
fix/agent-input-validation
May 14, 2026
Merged

fix(agent): validate request path before forwarding to ExApp#105
oleksandr-nc merged 1 commit into
mainfrom
fix/agent-input-validation

Conversation

@oleksandr-nc
Copy link
Copy Markdown
Contributor

@oleksandr-nc oleksandr-nc commented May 14, 2026

No description provided.

@oleksandr-nc
fix(agent): validate request path before forwarding to ExApp
d306b86 
Signed-off-by: Oleksander Piskun <oleksandr2088@icloud.com>
@oleksandr-nc oleksandr-nc requested a review from kyteinsky as a code owner May 14, 2026 05:06
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 14, 2026

Review Change Stack

📝 Walkthrough

Walkthrough

This PR introduces path traversal attack protection to the SPOA message handler. A new regex pattern detects parent-directory (..) segments in request paths, including URL-encoded variants (e.g., %2e) and mixed-case forms. The exapps_msg handler now performs an early validation check: if a path contains .. segments, the request is logged, failures are recorded for non-trusted callers, and the transaction is marked as bad_request before any further processing occurs.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check ❓ Inconclusive No pull request description was provided by the author, making it impossible to assess whether any description relates to the changeset. Add a pull request description explaining the motivation for the path validation, the security concern being addressed, and the implementation approach.
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title 'fix(agent): validate request path before forwarding to ExApp' clearly and specifically describes the main change: adding path validation before forwarding requests to ExApp.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai Bot reviewed May 14, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
haproxy_agent.py (1)

32-34: ⚡ Quick win

Add regression tests for the traversal matcher.

This regex is security-sensitive and easy to weaken accidentally. A small table of match/non-match cases for raw, mixed-case encoded, and boundary inputs would lock the behavior in.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 2b6c4b29-28a4-4a1b-bf1c-442676931c99

📥 Commits

Reviewing files that changed from the base of the PR and between e0079d1 and d306b86.

📒 Files selected for processing (1)
  • haproxy_agent.py

@oleksandr-nc oleksandr-nc merged commit 067c09f into main May 14, 2026
17 checks passed
@oleksandr-nc oleksandr-nc deleted the fix/agent-input-validation branch May 14, 2026 06:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@kyteinsky kyteinsky kyteinsky approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@oleksandr-nc @kyteinsky