Skip to content

Emtemf/api-codegen REV-2026-002: Remove arbitrary PROJECT_ROOT static file fallback #13

Description

@Emtemf

finding_id: REV-2026-002
priority: P0
area: security
kind: security
paths:

  • web-ui/server.js
    blocked_by: []
    automation: needs-design

Summary

Remove the arbitrary PROJECT_ROOT static-file fallback from the Web UI server and serve only an explicit allowlist of safe resources.

Evidence

Global review finding REV-2026-002 identified a fallback in web-ui/server.js that can resolve arbitrary paths under PROJECT_ROOT, including project metadata and configuration files.

Impact

A remote or local client that can reach the server may read source-controlled files and sensitive repository configuration.

Scope

Delete the entire arbitrary project-root fallback, implement a fail-closed static-resource allowlist, and preserve documented home-page and example-YAML loading behavior.

Out of scope

General repository permission changes, authentication, and unrelated API bridge behavior.

Acceptance criteria

  • 删除整个 PROJECT_ROOT 任意文件 fallback
  • GET /pom.xml/.git/config/.claude/settings.local.json 返回 404 或 403
  • 首页和示例 YAML 仍可加载
  • 用 allowlist/fail-closed 策略覆盖静态资源

Verification

Exercise the forbidden paths and valid home-page/example-YAML paths through the running server; add automated HTTP regression tests.

Rollback

Revert the static-resource routing change while preserving failing regression tests and security design notes.

Dependencies

None. Keep this issue labeled automation:needs-design; do not add automation:ready until design review is complete.

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions