vrr/ruvector
2
0
Fork 0
mirror of https://github.com/ruvnet/RuVector.git synced 2026-05-28 01:44:41 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
ruvector/crates/ruvector-cli/src
History
rUv 71769aaa39 fix(security): path traversal in MCP server vector_db_backup (CWE-22) 
Add path validation to all MCP tools that accept user-supplied file paths,
preventing arbitrary file read/write via directory traversal.

Vulnerable functions patched:
- tool_backup: db_path and backup_path now validated
- tool_create_db: params.path now validated
- get_or_open_db: path now validated

Implementation:
- validate_path() canonicalizes paths and checks they resolve within
  the configured data_dir (defaults to cwd)
- Configurable via mcp.data_dir in config or RUVECTOR_MCP_DATA_DIR env
- Rejects absolute paths outside data_dir, ../traversal, and symlink escapes
- 8 unit tests covering all POC attack vectors from the report

CVSS 3.1: 9.1 (Critical) → Mitigated
Closes #207

Co-Authored-By: claude-flow <ruv@ruv.net>
2026-02-25 13:32:21 +00:00
..
cli chore: update intelligence data and version bump to v0.1.71 2025-12-31 17:40:37 +00:00
mcp fix(security): path traversal in MCP server vector_db_backup (CWE-22) 2026-02-25 13:32:21 +00:00
config.rs fix(security): path traversal in MCP server vector_db_backup (CWE-22) 2026-02-25 13:32:21 +00:00
main.rs style: run cargo fmt across all crates 2025-12-29 17:41:49 +00:00
mcp_server.rs fix: Resolve CI build failures 2025-11-26 15:25:47 +00:00