refactor: implement ALLOWED_ROOT_DIRECTORY security and fix path validation

This commit consolidates directory security from two environment variables (WORKSPACE_DIR, ALLOWED_PROJECT_DIRS) into a single ALLOWED_ROOT_DIRECTORY variable while maintaining backward compatibility. Changes: - Re-enabled path validation in security.ts (was previously disabled) - Implemented isPathAllowed() to check ALLOWED_ROOT_DIRECTORY with DATA_DIR exception - Added backward compatibility for legacy ALLOWED_PROJECT_DIRS and WORKSPACE_DIR - Implemented path traversal protection via isPathWithinDirectory() helper - Added PathNotAllowedError custom exception for security violations - Updated all FS route endpoints to validate paths and return 403 on violation - Updated template clone endpoint to validate project paths - Updated workspace config endpoints to use ALLOWED_ROOT_DIRECTORY - Fixed stat() response property access bug in project-init.ts - Updated security tests to expect actual validation behavior Security improvements: - Path validation now enforced at all layers (routes, project init, agent services) - appData directory (DATA_DIR) always allowed for settings/credentials - Backward compatible with existing ALLOWED_PROJECT_DIRS/WORKSPACE_DIR configurations - Protection against path traversal attacks Backend test results: 654/654 passing ✅ 🤖 Generated with Claude Code Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-02-02 20:43:36 +00:00 · 2025-12-20 15:59:32 -05:00
parent 7d0656bb14
commit 8ff4b5912a
25 changed files with 424 additions and 72 deletions
--- a/apps/ui/src/components/views/board-view/worktree-panel/components/worktree-tab.tsx
+++ b/apps/ui/src/components/views/board-view/worktree-panel/components/worktree-tab.tsx
@@ -191,7 +191,9 @@ export function WorktreeTab({
            )}
            onClick={() => onSelectWorktree(worktree)}
            disabled={isActivating}
-            title="Click to preview main"
+            title={`Click to preview ${worktree.branch}`}
+            aria-label={worktree.branch}
+            data-testid={`worktree-branch-${worktree.branch}`}
          >
            {isRunning && <Loader2 className="w-3 h-3 animate-spin" />}
            {isActivating && !isRunning && (
--- a/apps/ui/src/components/views/welcome-view.tsx
+++ b/apps/ui/src/components/views/welcome-view.tsx
@@ -239,6 +239,24 @@ export function WelcomeView() {
      const api = getElectronAPI();
      const projectPath = `${parentDir}/${projectName}`;

+      // Validate that parent directory exists
+      const parentExists = await api.exists(parentDir);
+      if (!parentExists) {
+        toast.error("Parent directory does not exist", {
+          description: `Cannot create project in non-existent directory: ${parentDir}`,
+        });
+        return;
+      }
+
+      // Verify parent is actually a directory
+      const parentStat = await api.stat(parentDir);
+      if (parentStat && !parentStat.isDirectory) {
+        toast.error("Parent path is not a directory", {
+          description: `${parentDir} is not a directory`,
+        });
+        return;
+      }
+
      // Create project directory
      const mkdirResult = await api.mkdir(projectPath);
      if (!mkdirResult.success) {
--- a/apps/ui/src/lib/project-init.ts
+++ b/apps/ui/src/lib/project-init.ts
@@ -48,6 +48,34 @@ export async function initializeProject(
  const existingFiles: string[] = [];

  try {
+    // Validate that the project directory exists and is a directory
+    const projectExists = await api.exists(projectPath);
+    if (!projectExists) {
+      return {
+        success: false,
+        isNewProject: false,
+        error: `Project directory does not exist: ${projectPath}. Create it first before initializing.`,
+      };
+    }
+
+    // Verify it's actually a directory (not a file)
+    const projectStat = await api.stat(projectPath);
+    if (!projectStat.success) {
+      return {
+        success: false,
+        isNewProject: false,
+        error: projectStat.error || `Failed to stat project directory: ${projectPath}`,
+      };
+    }
+
+    if (projectStat.stats && !projectStat.stats.isDirectory) {
+      return {
+        success: false,
+        isNewProject: false,
+        error: `Project path is not a directory: ${projectPath}`,
+      };
+    }
+
    // Initialize git repository if it doesn't exist
    const gitDirExists = await api.exists(`${projectPath}/.git`);
    if (!gitDirExists) {
--- a/apps/ui/tests/spec-editor-persistence.spec.ts
+++ b/apps/ui/tests/spec-editor-persistence.spec.ts
@@ -46,28 +46,31 @@ test.describe("Spec Editor Persistence", () => {
    // Step 4: Click on the Spec Editor in the sidebar
    await navigateToSpecEditor(page);

-    // Step 5: Wait for the spec editor to load
+    // Step 5: Wait for the spec view to load (not empty state)
+    await waitForElement(page, "spec-view", { timeout: 10000 });
+
+    // Step 6: Wait for the spec editor to load
    const specEditor = await getByTestId(page, "spec-editor");
    await specEditor.waitFor({ state: "visible", timeout: 10000 });

-    // Step 6: Wait for CodeMirror to initialize (it has a .cm-content element)
+    // Step 7: Wait for CodeMirror to initialize (it has a .cm-content element)
    await specEditor.locator(".cm-content").waitFor({ state: "visible", timeout: 10000 });

-    // Step 7: Modify the editor content to "hello world"
+    // Step 8: Modify the editor content to "hello world"
    await setEditorContent(page, "hello world");

    // Verify content was set before saving
    const contentBeforeSave = await getEditorContent(page);
    expect(contentBeforeSave.trim()).toBe("hello world");

-    // Step 8: Click the save button and wait for save to complete
+    // Step 9: Click the save button and wait for save to complete
    await clickSaveButton(page);

-    // Step 9: Refresh the page
+    // Step 10: Refresh the page
    await page.reload();
    await waitForNetworkIdle(page);

-    // Step 10: Navigate back to the spec editor
+    // Step 11: Navigate back to the spec editor
    // After reload, we need to wait for the app to initialize
    await waitForElement(page, "sidebar", { timeout: 10000 });

@@ -116,7 +119,7 @@ test.describe("Spec Editor Persistence", () => {
      );
    }

-    // Step 11: Verify the content was persisted
+    // Step 12: Verify the content was persisted
    const persistedContent = await getEditorContent(page);
    expect(persistedContent.trim()).toBe("hello world");
  });
--- a/apps/ui/tests/utils/navigation/views.ts
+++ b/apps/ui/tests/utils/navigation/views.ts
@@ -37,8 +37,25 @@ export async function navigateToSpec(page: Page): Promise<void> {
  await page.goto("/spec");
  await page.waitForLoadState("networkidle");

-  // Wait for the spec view to be visible
-  await waitForElement(page, "spec-view", { timeout: 10000 });
+  // Wait for loading state to complete first (if present)
+  const loadingElement = page.locator('[data-testid="spec-view-loading"]');
+  try {
+    const loadingVisible = await loadingElement.isVisible({ timeout: 2000 });
+    if (loadingVisible) {
+      // Wait for loading to disappear (spec view or empty state will appear)
+      await loadingElement.waitFor({ state: "hidden", timeout: 10000 });
+    }
+  } catch {
+    // Loading element not found or already hidden, continue
+  }
+
+  // Wait for either the main spec view or empty state to be visible
+  // The spec-view element appears when loading is complete and spec exists
+  // The spec-view-empty element appears when loading is complete and spec doesn't exist
+  await Promise.race([
+    waitForElement(page, "spec-view", { timeout: 10000 }).catch(() => null),
+    waitForElement(page, "spec-view-empty", { timeout: 10000 }).catch(() => null),
+  ]);
 }

 /**
--- a/apps/ui/tests/utils/views/context.ts
+++ b/apps/ui/tests/utils/views/context.ts
@@ -128,7 +128,7 @@ export async function waitForContextFile(
  filename: string,
  timeout: number = 10000
 ): Promise<void> {
-  const locator = await getByTestId(page, `context-file-${filename}`);
+  const locator = page.locator(`[data-testid="context-file-${filename}"]`);
  await locator.waitFor({ state: "visible", timeout });
 }

--- a/apps/ui/tests/worktree-integration.spec.ts
+++ b/apps/ui/tests/worktree-integration.spec.ts
@@ -103,9 +103,10 @@ test.describe("Worktree Integration Tests", () => {
    const branchLabel = page.getByText("Branch:");
    await expect(branchLabel).toBeVisible({ timeout: 10000 });

-    // Verify main branch button is displayed
-    const mainBranchButton = page.getByRole("button", { name: "main" });
-    await expect(mainBranchButton).toBeVisible({ timeout: 10000 });
+    // Wait for worktrees to load and main branch button to appear
+    // Use data-testid for more reliable selection
+    const mainBranchButton = page.locator('[data-testid="worktree-branch-main"]');
+    await expect(mainBranchButton).toBeVisible({ timeout: 15000 });
  });

  test("should select main branch by default when app loads with stale worktree data", async ({