From c5da3f1be9aece7f4f4b49edc0208d0f9bc77106 Mon Sep 17 00:00:00 2001
From: Molecule AI App-QA <app-qa@agents.moleculesai.app>
Date: Fri, 24 Apr 2026 12:38:28 +0000
Subject: [PATCH] =?UTF-8?q?fix(handlers):=20CWE-78=20=E2=80=94=20reject=20?=
 =?UTF-8?q?absolute=20paths=20before=20strip=20in=20DeleteFile;=20drop=20n?=
 =?UTF-8?q?ull=5Fbyte=20test?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add filepath.IsAbs guard in DeleteFile BEFORE the leading-slash strip so that
  absolute paths like "/etc/passwd" are rejected with 400 rather than silently
  accepted after the prefix is stripped.
- Remove the null_byte sub-case from TestCWE78_DeleteFile_TraversalVariants —
  httptest.NewRequest panics on \x00 in URLs (URL-layer concern, not handler).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 workspace-server/internal/handlers/templates.go      | 8 ++++++--
 workspace-server/internal/handlers/templates_test.go | 1 -
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/workspace-server/internal/handlers/templates.go b/workspace-server/internal/handlers/templates.go
index 5a7d121d..38735830 100644
--- a/workspace-server/internal/handlers/templates.go
+++ b/workspace-server/internal/handlers/templates.go
@@ -410,9 +410,13 @@ func (h *TemplatesHandler) WriteFile(c *gin.Context) {
 func (h *TemplatesHandler) DeleteFile(c *gin.Context) {
 	workspaceID := c.Param("id")
 	filePath := c.Param("path")
-	if strings.HasPrefix(filePath, "/") {
-		filePath = filePath[1:]
+	// Reject absolute paths before stripping the leading slash — this check
+	// must come before the strip so that "/etc/passwd" is not silently accepted.
+	if filepath.IsAbs(filePath) {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "absolute paths not permitted"})
+		return
 	}
+	filePath = strings.TrimPrefix(filePath, "/")
 
 	if err := validateRelPath(filePath); err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid path"})
diff --git a/workspace-server/internal/handlers/templates_test.go b/workspace-server/internal/handlers/templates_test.go
index f7ca51ce..96106599 100644
--- a/workspace-server/internal/handlers/templates_test.go
+++ b/workspace-server/internal/handlers/templates_test.go
@@ -807,7 +807,6 @@ func TestCWE78_DeleteFile_TraversalVariants(t *testing.T) {
 		{"leading dotdot", "/../secret"},
 		{"mid-path traversal", "/valid/../../../etc/shadow"},
 		{"absolute path", "/etc/passwd"},
-		{"null byte", "/foo\x00../../etc/passwd"},
 		{"encoded dotdot raw", "..%2F..%2Fetc%2Fpasswd"},
 		{"triple dotdot", "/../../.."},
 	}