fix(security): add path validation and handle branch creation race condition

Security fixes:
- Add validate_file_paths() to prevent directory traversal attacks
  in commit endpoint (rejects absolute paths, '..' segments, and
  paths that escape the workspace via symlink resolution)
- Handle branch creation race condition by returning 409 Conflict
  instead of 500 when concurrent requests create the same branch

Changes:
- Add os import for path validation
- Add validate_file_paths() function with commonpath check
- Call path validation before commit_task_changes()
- Update create_branch to return 409 for "already exists" errors
- Update test to expect 409 for duplicate branch creation
- Add 3 security tests for path validation (absolute, traversal, escape)

Test coverage: 50 tests passing

Author: Test User

codeframe/ui/routers/git.py

@@ -9,6 +9,7 @@
 """
 
 import logging
+import os
 import re
 from datetime import datetime, UTC
 from pathlib import Path
@@ -66,6 +67,49 @@ def validate_branch_name(branch_name: str) -> str:
     return branch_name
 
 
+def validate_file_paths(file_paths: List[str], repo_root: str) -> List[str]:
+    """Validate file paths to prevent directory traversal attacks.
+
+    Args:
+        file_paths: List of file paths to validate
+        repo_root: Repository root directory (working tree)
+
+    Returns:
+        List of validated, resolved file paths
+
+    Raises:
+        ValueError: If any path is invalid or attempts to escape the workspace
+    """
+    validated_paths = []
+    repo_root_resolved = os.path.realpath(repo_root)
+
+    for path in file_paths:
+        # Reject absolute paths
+        if os.path.isabs(path):
+            raise ValueError(f"Absolute paths not allowed: {path}")
+
+        # Reject paths with '..' segments (directory traversal)
+        if '..' in path.split(os.sep) or '..' in path.split('/'):
+            raise ValueError(f"Path traversal not allowed: {path}")
+
+        # Resolve the path against repo root
+        candidate = os.path.join(repo_root_resolved, path)
+        resolved = os.path.realpath(candidate)
+
+        # Ensure resolved path is within repo root
+        try:
+            common = os.path.commonpath([repo_root_resolved, resolved])
+            if common != repo_root_resolved:
+                raise ValueError(f"Path escapes workspace: {path}")
+        except ValueError:
+            # commonpath raises ValueError for paths on different drives (Windows)
+            raise ValueError(f"Path escapes workspace: {path}")
+
+        validated_paths.append(path)
+
+    return validated_paths
+
+
 logger = logging.getLogger(__name__)
 
 router = APIRouter(prefix="/api/projects", tags=["git"])
@@ -263,9 +307,10 @@ async def create_branch(
 
     Raises:
         HTTPException:
-            - 400: Branch already exists or invalid parameters
+            - 400: Invalid parameters
             - 403: Access denied
             - 404: Project or issue not found
+            - 409: Branch already exists (including concurrent creation)
             - 500: Git operation failed
     """
     # Get project and check access
@@ -314,9 +359,20 @@ async def create_branch(
         )
 
     except ValueError as e:
-        # Branch already exists or validation error
+        # Branch already exists (pre-check) or validation error
+        error_msg = str(e).lower()
+        if "already exists" in error_msg:
+            raise HTTPException(status_code=409, detail=str(e))
         raise HTTPException(status_code=400, detail=str(e))
     except git.GitCommandError as e:
+        # Handle race condition: branch created between check and create_head
+        error_msg = str(e).lower()
+        if "already exists" in error_msg or "cannot lock ref" in error_msg:
+            logger.warning(f"Branch creation race condition detected: {e}")
+            raise HTTPException(
+                status_code=409,
+                detail=f"Branch already exists (concurrent creation detected)"
+            )
         logger.error(f"Git error creating branch: {e}")
         raise HTTPException(status_code=500, detail=f"Git operation failed: {e}")
 
@@ -491,6 +547,12 @@ async def create_commit(
     # Get workflow manager
     workflow_manager = get_git_workflow_manager(project, db)
 
+    # Validate file paths to prevent directory traversal attacks
+    try:
+        validate_file_paths(request.files_modified, workflow_manager.repo.working_tree_dir)
+    except ValueError as e:
+        raise HTTPException(status_code=400, detail=str(e))
+
     try:
         # Create task dict for commit_task_changes
         task_dict = {

tests/api/test_git_api.py

@@ -259,8 +259,8 @@ def test_create_branch_requires_issue_title(self, api_client, test_project_with_
         )
         assert response.status_code == 422
 
-    def test_create_duplicate_branch_returns_400(self, api_client, test_project_with_issue):
-        """Test that creating duplicate branch returns 400."""
+    def test_create_duplicate_branch_returns_409_conflict(self, api_client, test_project_with_issue):
+        """Test that creating duplicate branch returns 409 Conflict."""
         project = test_project_with_issue
 
         # Create branch first time
@@ -272,15 +272,16 @@ def test_create_duplicate_branch_returns_400(self, api_client, test_project_with
             },
         )
 
-        # Try to create same branch again
+        # Try to create same branch again - should return 409 Conflict
         response = api_client.post(
             f"/api/projects/{project['project_id']}/git/branches",
             json={
                 "issue_number": project["issue_number"],
                 "issue_title": project["issue_title"],
             },
         )
-        assert response.status_code == 400
+        assert response.status_code == 409
+        assert "already exists" in response.json()["detail"].lower()
 
     def test_create_branch_issue_not_found(self, api_client, test_project_with_git):
         """Test that creating branch with non-existent issue returns 404."""
@@ -599,6 +600,49 @@ def test_commit_task_not_found(self, api_client, test_project_with_git):
         )
         assert response.status_code == 404
 
+    def test_commit_rejects_absolute_paths(self, api_client, test_project_with_task):
+        """Test that absolute file paths are rejected (security)."""
+        project = test_project_with_task
+        response = api_client.post(
+            f"/api/projects/{project['project_id']}/git/commit",
+            json={
+                "task_id": project["task_id"],
+                "files_modified": ["/etc/passwd"],
+                "agent_id": "backend-worker-001",
+            },
+        )
+        assert response.status_code == 400
+        assert "absolute" in response.json()["detail"].lower()
+
+    def test_commit_rejects_path_traversal(self, api_client, test_project_with_task):
+        """Test that path traversal attempts are rejected (security)."""
+        project = test_project_with_task
+        response = api_client.post(
+            f"/api/projects/{project['project_id']}/git/commit",
+            json={
+                "task_id": project["task_id"],
+                "files_modified": ["../../../etc/passwd"],
+                "agent_id": "backend-worker-001",
+            },
+        )
+        assert response.status_code == 400
+        assert "traversal" in response.json()["detail"].lower()
+
+    def test_commit_rejects_workspace_escape(self, api_client, test_project_with_task):
+        """Test that paths escaping workspace are rejected (security)."""
+        project = test_project_with_task
+        # Use a path that doesn't have '..' but could resolve outside via symlinks
+        # This tests the commonpath check
+        response = api_client.post(
+            f"/api/projects/{project['project_id']}/git/commit",
+            json={
+                "task_id": project["task_id"],
+                "files_modified": ["subdir/../../../outside.txt"],
+                "agent_id": "backend-worker-001",
+            },
+        )
+        assert response.status_code == 400
+
 
 # ============================================================================
 # Commit Listing Tests