Enhance session export functionality with security improvements

This commit adds security measures to the session export process in the backend, including user authentication, permission verification, and session name validation to prevent path traversal attacks. The frontend has been updated to utilize a new React Query hook for fetching export data, streamlining the export process in the session details modal. Additionally, the code has been refactored for better readability and maintainability.

Author: Gkrumbach07

components/backend/websocket/export.go

@@ -2,14 +2,21 @@
 package websocket
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"log"
 	"net/http"
 	"os"
+	"path/filepath"
+	"strings"
 	"time"
 
+	"ambient-code-backend/handlers"
+
 	"github.com/gin-gonic/gin"
+	authv1 "k8s.io/api/authorization/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 // ExportResponse contains the exported session data
@@ -30,11 +37,57 @@ func HandleExportSession(c *gin.Context) {
 
 	log.Printf("Export: Exporting session %s/%s", projectName, sessionName)
 
-	// Build paths
-	sessionDir := fmt.Sprintf("%s/sessions/%s", StateBaseDir, sessionName)
-	aguiEventsPath := fmt.Sprintf("%s/agui-events.jsonl", sessionDir)
-	legacyMigratedPath := fmt.Sprintf("%s/messages.jsonl.migrated", sessionDir)
-	legacyOriginalPath := fmt.Sprintf("%s/messages.jsonl", sessionDir)
+	// SECURITY: Authenticate user and get user-scoped K8s client
+	reqK8s, _ := handlers.GetK8sClientsForRequest(c)
+	if reqK8s == nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid or missing token"})
+		c.Abort()
+		return
+	}
+
+	// SECURITY: Verify user has permission to read this session
+	ctx := context.Background()
+	ssar := &authv1.SelfSubjectAccessReview{
+		Spec: authv1.SelfSubjectAccessReviewSpec{
+			ResourceAttributes: &authv1.ResourceAttributes{
+				Group:     "vteam.ambient-code",
+				Resource:  "agenticsessions",
+				Verb:      "get",
+				Namespace: projectName,
+				Name:      sessionName,
+			},
+		},
+	}
+	res, err := reqK8s.AuthorizationV1().SelfSubjectAccessReviews().Create(ctx, ssar, metav1.CreateOptions{})
+	if err != nil || !res.Status.Allowed {
+		log.Printf("Export: User not authorized to read session %s/%s", projectName, sessionName)
+		c.JSON(http.StatusForbidden, gin.H{"error": "Unauthorized"})
+		c.Abort()
+		return
+	}
+
+	// SECURITY: Validate sessionName to prevent path traversal
+	if !isValidSessionName(sessionName) {
+		log.Printf("Export: Invalid session name detected: %s", sessionName)
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid session name"})
+		return
+	}
+
+	// Build paths safely using filepath.Join and validate they're within StateBaseDir
+	baseDir := filepath.Clean(StateBaseDir)
+	sessionDir := filepath.Join(baseDir, "sessions", sessionName)
+	sessionDir = filepath.Clean(sessionDir)
+
+	// SECURITY: Ensure path is within allowed directory (prevent path traversal)
+	if !strings.HasPrefix(sessionDir, baseDir) {
+		log.Printf("Export: Security - path traversal attempt detected: %s", sessionName)
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid session name"})
+		return
+	}
+
+	aguiEventsPath := filepath.Join(sessionDir, "agui-events.jsonl")
+	legacyMigratedPath := filepath.Join(sessionDir, "messages.jsonl.migrated")
+	legacyOriginalPath := filepath.Join(sessionDir, "messages.jsonl")
 
 	// Check if session directory exists
 	if _, err := os.Stat(sessionDir); os.IsNotExist(err) {
@@ -106,6 +159,44 @@ func HandleExportSession(c *gin.Context) {
 	c.JSON(http.StatusOK, response)
 }
 
+// isValidSessionName validates that the session name is a valid Kubernetes resource name
+// and doesn't contain path traversal characters
+func isValidSessionName(name string) bool {
+	// Must not be empty
+	if name == "" {
+		return false
+	}
+
+	// Must not contain path traversal characters
+	if strings.Contains(name, "..") || strings.Contains(name, "/") || strings.Contains(name, "\\") {
+		return false
+	}
+
+	// Kubernetes DNS label format: lowercase alphanumeric, hyphens allowed (not at start/end)
+	// Max 63 characters
+	if len(name) > 63 {
+		return false
+	}
+
+	// Check each character
+	for i, ch := range name {
+		isLower := ch >= 'a' && ch <= 'z'
+		isDigit := ch >= '0' && ch <= '9'
+		isHyphen := ch == '-'
+
+		if !isLower && !isDigit && !isHyphen {
+			return false
+		}
+
+		// Hyphen not allowed at start or end
+		if isHyphen && (i == 0 || i == len(name)-1) {
+			return false
+		}
+	}
+
+	return true
+}
+
 // readJSONLFile reads a JSONL file and returns parsed array of objects
 func readJSONLFile(path string) ([]map[string]interface{}, error) {
 	data, err := os.ReadFile(path)
@@ -131,4 +222,3 @@ func readJSONLFile(path string) ([]map[string]interface{}, error) {
 
 	return events, nil
 }
-

components/frontend/src/components/session-details-modal.tsx

@@ -1,13 +1,14 @@
 "use client";
 
-import { useState } from 'react';
+import { useCallback, useState } from 'react';
 import { Dialog, DialogContent, DialogHeader, DialogTitle } from '@/components/ui/dialog';
 import { Badge } from '@/components/ui/badge';
 import { Button } from '@/components/ui/button';
 import { Download, Loader2 } from 'lucide-react';
 import type { AgenticSession } from '@/types/agentic-session';
 import { getPhaseColor } from '@/utils/session-helpers';
 import { successToast } from '@/hooks/use-toast';
+import { useSessionExport } from '@/services/queries/use-sessions';
 
 function formatDuration(ms: number): string {
   const seconds = Math.floor(ms / 1000);
@@ -39,15 +40,6 @@ type SessionDetailsModalProps = {
   messageCount: number;
 };
 
-type ExportResponse = {
-  sessionId: string;
-  projectName: string;
-  exportDate: string;
-  aguiEvents: unknown[];
-  legacyMessages?: unknown[];
-  hasLegacy: boolean;
-};
-
 export function SessionDetailsModal({
   session,
   projectName,
@@ -57,57 +49,28 @@ export function SessionDetailsModal({
   k8sResources,
   messageCount,
 }: SessionDetailsModalProps) {
-  const [exportData, setExportData] = useState<ExportResponse | null>(null);
-  const [loadingExport, setLoadingExport] = useState(false);
   const [exportingAgui, setExportingAgui] = useState(false);
   const [exportingLegacy, setExportingLegacy] = useState(false);
   const sessionName = session.metadata?.name || '';
 
-  // Fetch export data when modal opens to determine what's available
-  const fetchExportData = async () => {
-    if (!sessionName || !projectName || exportData) return;
-    
-    setLoadingExport(true);
-    try {
-      const response = await fetch(
-        `/api/projects/${encodeURIComponent(projectName)}/agentic-sessions/${encodeURIComponent(sessionName)}/export`
-      );
-      
-      if (!response.ok) {
-        const errorData = await response.json();
-        throw new Error(errorData.error || 'Failed to load export data');
-      }
-      
-      const data: ExportResponse = await response.json();
-      setExportData(data);
-    } catch (error) {
-      console.error('Failed to load export data:', error);
-    } finally {
-      setLoadingExport(false);
-    }
-  };
-
-  // Fetch export data when modal opens
-  if (open && !exportData && !loadingExport) {
-    fetchExportData();
-  }
-
-  // Reset export data when modal closes
-  if (!open && exportData) {
-    setExportData(null);
-  }
+  // Use React Query hook - only fetches when modal is open
+  const { data: exportData, isLoading: loadingExport } = useSessionExport(
+    projectName,
+    sessionName,
+    open // Only fetch when modal is open
+  );
 
-  const downloadFile = (data: unknown, filename: string) => {
+  const downloadFile = useCallback((data: unknown, filename: string) => {
     const blob = new Blob([JSON.stringify(data, null, 2)], { type: 'application/json' });
     const url = URL.createObjectURL(blob);
     const link = document.createElement('a');
     link.href = url;
     link.download = filename;
     link.click();
     URL.revokeObjectURL(url);
-  };
+  }, []);
 
-  const handleExportAgui = async () => {
+  const handleExportAgui = useCallback(() => {
     if (!exportData) return;
     setExportingAgui(true);
     try {
@@ -116,9 +79,9 @@ export function SessionDetailsModal({
     } finally {
       setExportingAgui(false);
     }
-  };
+  }, [exportData, sessionName, downloadFile]);
 
-  const handleExportLegacy = async () => {
+  const handleExportLegacy = useCallback(() => {
     if (!exportData?.legacyMessages) return;
     setExportingLegacy(true);
     try {
@@ -127,7 +90,7 @@ export function SessionDetailsModal({
     } finally {
       setExportingLegacy(false);
     }
-  };
+  }, [exportData, sessionName, downloadFile]);
 
   return (
     <Dialog open={open} onOpenChange={onOpenChange}>
@@ -273,4 +236,3 @@ export function SessionDetailsModal({
     </Dialog>
   );
 }
-

components/frontend/src/services/api/sessions.ts

@@ -175,3 +175,22 @@ export async function updateSessionDisplayName(
     { displayName }
   );
 }
+
+/**
+ * Export session chat data
+ */
+export type SessionExportResponse = {
+  sessionId: string;
+  projectName: string;
+  exportDate: string;
+  aguiEvents: unknown[];
+  legacyMessages?: unknown[];
+  hasLegacy: boolean;
+};
+
+export async function getSessionExport(
+  projectName: string,
+  sessionName: string
+): Promise<SessionExportResponse> {
+  return apiClient.get(`/projects/${projectName}/agentic-sessions/${sessionName}/export`);
+}

components/frontend/src/services/queries/use-sessions.ts

@@ -25,6 +25,8 @@ export const sessionKeys = {
     [...sessionKeys.details(), projectName, sessionName] as const,
   messages: (projectName: string, sessionName: string) =>
     [...sessionKeys.detail(projectName, sessionName), 'messages'] as const,
+  export: (projectName: string, sessionName: string) =>
+    [...sessionKeys.detail(projectName, sessionName), 'export'] as const,
 };
 
 /**
@@ -308,3 +310,15 @@ export function useUpdateSessionDisplayName() {
     },
   });
 }
+
+/**
+ * Hook to fetch session export data (AG-UI events + legacy messages)
+ */
+export function useSessionExport(projectName: string, sessionName: string, enabled: boolean) {
+  return useQuery({
+    queryKey: sessionKeys.export(projectName, sessionName),
+    queryFn: () => sessionsApi.getSessionExport(projectName, sessionName),
+    enabled: enabled && !!projectName && !!sessionName,
+    staleTime: 60000, // Cache for 1 minute
+  });
+}