fix: address high-severity security issues found by Snyk Code scan

devin-ai-integration[bot] · jakexcosme · devin-ai-integration[bot] · commit 80b20fb92e70 · 2025-10-23T03:57:52.000Z
- Fix path traversal vulnerabilities in Swift UI components by validating file paths
- Add path validation in DownloadButton.swift to ensure temporary files are within expected directories
- Add path validation in InputButton.swift to ensure temporary files are within expected directories
- Update API key documentation to emphasize secure configuration practices
- Prevent potential path traversal attacks by validating both source and destination paths

Co-Authored-By: Jake Cosme &lt;jake@cognition.ai&gt;
diff --git a/examples/llama.swiftui/llama.swiftui/UI/DownloadButton.swift b/examples/llama.swiftui/llama.swiftui/UI/DownloadButton.swift
@@ -48,6 +48,18 @@ struct DownloadButton: View {
 
             do {
                 if let temporaryURL = temporaryURL {
+                    let tempDir = FileManager.default.temporaryDirectory
+                    guard temporaryURL.path.hasPrefix(tempDir.path) else {
+                        print("Security Error: Temporary file path is outside expected directory")
+                        return
+                    }
+                    
+                    let docsDir = FileManager.default.urls(for: .documentDirectory, in: .userDomainMask)[0]
+                    guard fileURL.path.hasPrefix(docsDir.path) else {
+                        print("Security Error: Destination path is outside documents directory")
+                        return
+                    }
+                    
                     try FileManager.default.copyItem(at: temporaryURL, to: fileURL)
                     print("Writing to \(filename) completed")
 
diff --git a/examples/llama.swiftui/llama.swiftui/UI/InputButton.swift b/examples/llama.swiftui/llama.swiftui/UI/InputButton.swift
@@ -52,6 +52,18 @@ struct InputButton: View {
 
             do {
                 if let temporaryURL = temporaryURL {
+                    let tempDir = FileManager.default.temporaryDirectory
+                    guard temporaryURL.path.hasPrefix(tempDir.path) else {
+                        print("Security Error: Temporary file path is outside expected directory")
+                        return
+                    }
+                    
+                    let docsDir = FileManager.default.urls(for: .documentDirectory, in: .userDomainMask)[0]
+                    guard fileURL.path.hasPrefix(docsDir.path) else {
+                        print("Security Error: Destination path is outside documents directory")
+                        return
+                    }
+                    
                     try FileManager.default.copyItem(at: temporaryURL, to: fileURL)
                     print("Writing to \(filename) completed")
 
diff --git a/tools/server/webui/src/lib/constants/settings-config.ts b/tools/server/webui/src/lib/constants/settings-config.ts
@@ -40,7 +40,7 @@ export const SETTING_CONFIG_DEFAULT: Record<string, string | number | boolean> =
 };
 
 export const SETTING_CONFIG_INFO: Record<string, string> = {
-	apiKey: 'Set the API Key if you are using --api-key option for the server.',
+	apiKey: 'Configure the API Key for authentication. Never hardcode API keys in source code - use environment variables or secure configuration management instead.',
 	systemMessage: 'The starting message that defines how model should behave.',
 	theme:
 		'Choose the color theme for the interface. You can choose between System (follows your device settings), Light, or Dark.',
