Skip to content

fix: validate download path containment in runner#4417

Merged
markbackman merged 5 commits into
mainfrom
mb/resolve-runner-filepath
May 4, 2026
Merged

fix: validate download path containment in runner#4417
markbackman merged 5 commits into
mainfrom
mb/resolve-runner-filepath

Conversation

@markbackman
Copy link
Copy Markdown
Contributor

@markbackman markbackman commented May 4, 2026
edited
Loading

Summary

  • Fixes a path traversal in the development runner's /files/{filename:path} download endpoint, where %2F-encoded separators bypassed Starlette's path normalisation and let an unauthenticated request read any file the pipecat process could access.
  • The endpoint now resolves the joined path and rejects any filename that escapes --folder with a 403, and returns 404 (instead of an implicit null 200) when --folder is unset.
  • Adds tests covering literal ../, %2F-decoded traversal, absolute paths, and symlink escape.

Testing

  • uv run pytest tests/test_runner_downloads.py
  • Manual: start the runner with --folder /tmp/bot_media, confirm legitimate files still download and that curl http://127.0.0.1:7860/files/..%2F..%2Fetc%2Fpasswd returns 403.

markbackman added 2 commits May 4, 2026 16:20
@markbackman
fix: validate download path containment in runner
e780f75 
Resolve and contain the user-supplied filename before serving it from
the runner's /files endpoint. Also raise a 404 (instead of returning
None) when the downloads folder is unset, and use the resolved
basename for Content-Disposition.
@markbackman
docs: add changelog for #4417
5b087d6
@codecov
Copy link
Copy Markdown

codecov Bot commented May 4, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 54.54545% with 5 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
src/pipecat/runner/run.py 54.54% 5 Missing ⚠️
Files with missing lines Coverage Δ
src/pipecat/runner/run.py 11.35% <54.54%> (+11.35%) ⬆️
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

filipi87
filipi87 approved these changes May 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@filipi87 filipi87 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice improvement! 🚀

@markbackman markbackman merged commit 7519c26 into main May 4, 2026
6 checks passed
@markbackman markbackman deleted the mb/resolve-runner-filepath branch May 4, 2026 22:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@filipi87 filipi87 filipi87 approved these changes

@kompfner kompfner Awaiting requested review from kompfner

@aconchillo aconchillo Awaiting requested review from aconchillo

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@markbackman @filipi87