masci / banks / 28243335110

95%

push

github

fix: restrict media filter file paths to the current working directory (#76)

* fix: restrict media filter file paths to the current working directory

Resolves absolute and traversal paths by canonicalizing them and
verifying they stay within CWD before opening. Tests updated to
chdir into tmp_path for file-based filter tests.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: use BANKS_MEDIA_ROOT env var as media path allowlist root

Falls back to CWD when the env var is not set. This lets production
deployments explicitly pin an allowed directory rather than relying
on the implicit working directory.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* docs: document BANKS_MEDIA_ROOT constraint in Security section

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* test: add path traversal case to image filter rejection test

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* refactor: wire MEDIA_ROOT through _BanksConfig instead of os.environ directly

Also fixes _BanksConfig.__getattribute__ to unwrap Optional/union type
annotations before calling the constructor, so Path | None fields work
correctly when the env var is set.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* docs: add BANKS_MEDIA_ROOT to AGENTS.md configuration section

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* style: apply ruff formatting to types.py

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: replace type(None) comparison with None.__class__ to satisfy pylint

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

105 of 112 branches covered (93.75%)

Branch coverage included in aggregate %.

29 of 32 new or added lines in 2 files covered. (90.63%)

870 of 919 relevant lines covered (94.67%)

0.95 hits per line