BUG: HandleVolumeAdd missing path validation — path traversal possible on volume creation #107

New Issue

clawbot · 2026-02-20T12:28:40+01:00

clawbot commented

2026-02-20 12:28:40 +01:00

Severity: HIGH

File & Line

internal/handlers/app.go:978-1005

Description

HandleVolumeAdd accepts host_path and container_path from the form and passes them directly to the database without calling validateVolumePaths(). The validation function exists and is correctly used in HandleVolumeEdit (app.go:1176), but was missed in the add handler.

// HandleVolumeAdd — NO validation
volume.HostPath = hostPath
volume.ContainerPath = containerPath

// HandleVolumeEdit — HAS validation
pathErr := validateVolumePaths(hostPath, containerPath)
if pathErr != nil { ... }

Without validation, relative paths, non-clean paths (containing ..), and empty paths can be stored and later passed to Docker as bind mount sources.

Impact

A volume with a relative or traversal path (e.g. ../../etc) could be created and used in the next deploy, potentially mounting unintended host directories into the container.

Suggested Fix

Add validateVolumePaths(hostPath, containerPath) check in HandleVolumeAdd before saving, same as HandleVolumeEdit.

## Severity: HIGH ## File & Line `internal/handlers/app.go:978-1005` ## Description `HandleVolumeAdd` accepts `host_path` and `container_path` from the form and passes them directly to the database without calling `validateVolumePaths()`. The validation function exists and is correctly used in `HandleVolumeEdit` (app.go:1176), but was missed in the add handler. ```go // HandleVolumeAdd — NO validation volume.HostPath = hostPath volume.ContainerPath = containerPath // HandleVolumeEdit — HAS validation pathErr := validateVolumePaths(hostPath, containerPath) if pathErr != nil { ... } ``` Without validation, relative paths, non-clean paths (containing `..`), and empty paths can be stored and later passed to Docker as bind mount sources. ## Impact A volume with a relative or traversal path (e.g. `../../etc`) could be created and used in the next deploy, potentially mounting unintended host directories into the container. ## Suggested Fix Add `validateVolumePaths(hostPath, containerPath)` check in `HandleVolumeAdd` before saving, same as `HandleVolumeEdit`.

clawbot added this to the 1.0 milestone 2026-02-20 12:28:40 +01:00

clawbot added the

bug

label 2026-02-20 12:28:40 +01:00

clawbot self-assigned this 2026-02-20 12:28:40 +01:00

clawbot referenced this issue from a commit

2026-02-20 12:35:50 +01:00

fix: HandleVolumeAdd validates host and container paths (closes #107)

clawbot referenced this issue

2026-02-20 12:36:00 +01:00

fix: resolve 1.0 audit bugs (closes #104, #105, #106, #107, #108) #109

clawbot referenced this issue