Security: Only check development paths in debug builds

StuartCameronCode · claude · StuartCameronCode · commit 0588cb7cbb9e · 2026-01-18T18:25:56.000+11:00
Restrict relative path traversal (../../../) to debug builds only:
- Flutter: Use kDebugMode check before searching dev paths
- Rust: Use #[cfg(debug_assertions)] for dev path search

This prevents production builds from checking relative paths
that could potentially be exploited to load malicious dependencies.

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/app/lib/services/dependency_manager.dart b/app/lib/services/dependency_manager.dart
@@ -4,6 +4,7 @@ import 'dart:io';
 
 import 'package:archive/archive.dart';
 import 'package:crypto/crypto.dart';
+import 'package:flutter/foundation.dart';
 import 'package:flutter/services.dart';
 import 'package:http/http.dart' as http;
 import 'package:path/path.dart' as path;
@@ -187,7 +188,20 @@ class DependencyManager {
       // Fall back to production path (will trigger download)
       return prodDeps;
     } else if (Platform.isMacOS) {
-      // First check Application Support (where downloaded deps go)
+      // Development only: check relative paths to project root
+      if (kDebugMode) {
+        // From app/build/macos/Build/Products/Debug/vapourbox.app/Contents/MacOS up 9 levels
+        final devDepsArm = Directory(path.join(appDir, '..', '..', '..', '..', '..', '..', '..', '..', '..', 'deps', 'macos-arm64'));
+        if (await devDepsArm.exists()) {
+          return Directory(await devDepsArm.resolveSymbolicLinks());
+        }
+        final devDepsX64 = Directory(path.join(appDir, '..', '..', '..', '..', '..', '..', '..', '..', '..', 'deps', 'macos-x64'));
+        if (await devDepsX64.exists()) {
+          return Directory(await devDepsX64.resolveSymbolicLinks());
+        }
+      }
+
+      // Production: check Application Support (where downloaded deps go)
       final home = Platform.environment['HOME'];
       if (home != null) {
         final appSupportDeps = Directory(path.join(
@@ -198,17 +212,6 @@ class DependencyManager {
         }
       }
 
-      // Development: go up to project root and find deps/macos-arm64 or macos-x64
-      // From app/build/macos/Build/Products/Debug/vapourbox.app/Contents/MacOS up 9 levels
-      final devDepsArm = Directory(path.join(appDir, '..', '..', '..', '..', '..', '..', '..', '..', '..', 'deps', 'macos-arm64'));
-      if (await devDepsArm.exists()) {
-        return Directory(await devDepsArm.resolveSymbolicLinks());
-      }
-      final devDepsX64 = Directory(path.join(appDir, '..', '..', '..', '..', '..', '..', '..', '..', '..', 'deps', 'macos-x64'));
-      if (await devDepsX64.exists()) {
-        return Directory(await devDepsX64.resolveSymbolicLinks());
-      }
-
       // Fall back to Application Support (will trigger download)
       final home2 = Platform.environment['HOME'] ?? '/tmp';
       return Directory(path.join(
diff --git a/app/lib/services/preview_generator.dart b/app/lib/services/preview_generator.dart
@@ -3,6 +3,7 @@ import 'dart:convert';
 import 'dart:io';
 import 'dart:typed_data';
 
+import 'package:flutter/foundation.dart';
 import 'package:path/path.dart' as path;
 import 'package:uuid/uuid.dart';
 
@@ -483,23 +484,28 @@ class PreviewGenerator {
     final platformDir = _getPlatformSuffix();
 
     // Check bundled locations (platform-specific subdirectory)
-    final bundledPaths = Platform.isWindows
-        ? [
-            '$exeDir\\deps\\$platformDir\\ffmpeg\\$name$ext',
-            '$exeDir\\deps\\$platformDir\\vapoursynth\\$name$ext',
-            // VSPipe is capitalized on Windows
-            '$exeDir\\deps\\$platformDir\\vapoursynth\\VSPipe$ext',
-          ]
-        : [
-            // Production: downloaded deps in Contents/MacOS/deps/
-            '$exeDir/deps/$platformDir/ffmpeg/$name',
-            '$exeDir/deps/$platformDir/vapoursynth/$name',
-            // Bundled in Helpers (legacy)
-            '$exeDir/../Helpers/$name',
-            // Development: go up from app/build/macos/Build/Products/Debug/vapourbox.app/Contents/MacOS to project root (9 levels)
-            '$exeDir/../../../../../../../../../deps/$platformDir/ffmpeg/$name',
-            '$exeDir/../../../../../../../../../deps/$platformDir/vapoursynth/$name',
-          ];
+    final home = Platform.environment['HOME'] ?? '';
+    final List<String> bundledPaths;
+
+    if (Platform.isWindows) {
+      bundledPaths = [
+        '$exeDir\\deps\\$platformDir\\ffmpeg\\$name$ext',
+        '$exeDir\\deps\\$platformDir\\vapoursynth\\$name$ext',
+        // VSPipe is capitalized on Windows
+        '$exeDir\\deps\\$platformDir\\vapoursynth\\VSPipe$ext',
+      ];
+    } else {
+      bundledPaths = [
+        // Development only: relative paths to project root
+        if (kDebugMode) ...[
+          '$exeDir/../../../../../../../../../deps/$platformDir/ffmpeg/$name',
+          '$exeDir/../../../../../../../../../deps/$platformDir/vapoursynth/$name',
+        ],
+        // Application Support (where downloaded deps go on macOS)
+        '$home/Library/Application Support/VapourBox/deps/$platformDir/ffmpeg/$name',
+        '$home/Library/Application Support/VapourBox/deps/$platformDir/vapoursynth/$name',
+      ];
+    }
 
     for (final p in bundledPaths) {
       if (await File(p).exists()) {
diff --git a/worker/src/dependency_locator.rs b/worker/src/dependency_locator.rs
@@ -31,51 +31,52 @@ impl DependencyLocator {
 
     /// Find the deps directory by searching various locations.
     fn find_deps_directory(exe_path: &Path) -> Result<PathBuf> {
-        // On macOS, first check Application Support (where downloaded deps go)
-        #[cfg(target_os = "macos")]
+        // Development only: search upward from executable for project deps
+        #[cfg(debug_assertions)]
         {
-            if let Some(home) = env::var_os("HOME") {
-                let app_support_deps = PathBuf::from(home)
-                    .join("Library")
-                    .join("Application Support")
-                    .join("VapourBox")
-                    .join("deps");
-                if app_support_deps.join("macos-arm64").exists()
-                    || app_support_deps.join("macos-x64").exists() {
-                    return Ok(app_support_deps);
+            let mut current = exe_path.parent();
+            while let Some(dir) = current {
+                // Check for deps directory with platform subdirectory
+                // This ensures we find the project deps, not Cargo's deps
+                let deps_dir = dir.join("deps");
+                if deps_dir.exists() {
+                    // Verify this has our expected structure (windows-x64 or macos-arm64, etc.)
+                    let has_platform_dir = deps_dir.join("windows-x64").exists()
+                        || deps_dir.join("macos-arm64").exists()
+                        || deps_dir.join("macos-x64").exists();
+                    if has_platform_dir {
+                        return Ok(deps_dir);
+                    }
                 }
+                current = dir.parent();
             }
         }
 
-        // Search upward from executable
-        let mut current = exe_path.parent();
-
-        while let Some(dir) = current {
-            // Check for deps directory with platform subdirectory
-            // This ensures we find the project deps, not Cargo's deps
-            let deps_dir = dir.join("deps");
-            if deps_dir.exists() {
-                // Verify this has our expected structure (windows-x64 or macos-arm64, etc.)
-                let has_platform_dir = deps_dir.join("windows-x64").exists()
-                    || deps_dir.join("macos-arm64").exists()
-                    || deps_dir.join("macos-x64").exists();
-                if has_platform_dir {
-                    return Ok(deps_dir);
-                }
+        // Windows production: deps folder next to executable
+        #[cfg(target_os = "windows")]
+        {
+            let exe_dir = exe_path.parent().unwrap_or(Path::new("."));
+            let deps_dir = exe_dir.join("deps");
+            if deps_dir.join("windows-x64").exists() {
+                return Ok(deps_dir);
             }
-
-            current = dir.parent();
         }
 
-        // Fallback: Application Support on macOS, relative path otherwise
+        // macOS production: Application Support (where downloaded deps go)
         #[cfg(target_os = "macos")]
         {
             if let Some(home) = env::var_os("HOME") {
-                return Ok(PathBuf::from(home)
+                let app_support_deps = PathBuf::from(home)
                     .join("Library")
                     .join("Application Support")
                     .join("VapourBox")
-                    .join("deps"));
+                    .join("deps");
+                if app_support_deps.join("macos-arm64").exists()
+                    || app_support_deps.join("macos-x64").exists() {
+                    return Ok(app_support_deps);
+                }
+                // Fallback to Application Support path (will be created when deps download)
+                return Ok(app_support_deps);
             }
         }
 
