fix: Safer file path handling for the service

To avoid path traversal the service will only operate within its work directory.

Author: jentfoo

AGENTS.md

@@ -16,7 +16,6 @@ make build          # Build to bin/sectool
 make build-cross    # Cross-compile (linux/darwin, amd64/arm64)
 make test           # Quick tests (-short flag)
 make test-all       # Full tests with -race and coverage
-make test-cover     # Generate HTML coverage report (test.out)
 make lint           # Run golangci-lint and go vet
 ```
 
@@ -256,7 +255,7 @@ All endpoints over Unix socket at `.sectool/service/socket`:
 - Test case names should be at most 3 to 5 words and in lower case with underscores
 - Assertions rely on `testify` (`require` for setup, `assert` for assertions)
 - With assertions don't include messages unless the message provides context outside of the test point, or the two variables being evaluated
-- Always verify with `make test` and `make lint` before considering changes complete
+- Always verify with `make test-all` and `make lint` before considering changes complete
 - Isolated temp directories via `t.TempDir()`
 - Context timeouts via `t.Context()`
 - Mock MCP server available via `service/mcp.NewTestMCPServer()`

sectool/proxy/export.go

@@ -10,7 +10,7 @@ import (
 	"github.com/jentfoo/llm-security-toolbox/sectool/service"
 )
 
-func export(timeout time.Duration, flowID, out string) error {
+func export(timeout time.Duration, flowID string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 
@@ -26,7 +26,6 @@ func export(timeout time.Duration, flowID, out string) error {
 
 	resp, err := client.ProxyExport(ctx, &service.ProxyExportRequest{
 		FlowID: flowID,
-		OutDir: out,
 	})
 	if err != nil {
 		return fmt.Errorf("proxy export failed: %w", err)

sectool/proxy/flags.go

@@ -118,18 +118,15 @@ proxy export <flow_id>
   Note: Prefer 'replay send --flow' with modification flags for simple changes.
   Export is useful for complex edits (raw body, binary data, etc).
 
-  Creates bundle in .sectool/requests/<id>/:
+  Creates bundle in .sectool/requests/<bundle_id>/:
     request.http       HTTP headers with body placeholder
     body               request body (edit this for modifications)
     request.meta.json  metadata (method, URL, timestamps)
 
-  Options:
-    --out <path>            custom output directory
-
   Examples:
     sectool proxy list --host example.com     # find flow_id
-    sectool proxy export f7k2x                # outputs: .sectool/requests/f7k2x/
-    sectool replay send --bundle .sectool/requests/f7k2x
+    sectool proxy export f7k2x                # exports to .sectool/requests/<bundle_id>/
+    sectool replay send --bundle <bundle_id>  # replay the exported bundle
 
   Output: Bundle path and files created
 
@@ -300,10 +297,8 @@ func parseExport(args []string) error {
 	fs := pflag.NewFlagSet("proxy export", pflag.ContinueOnError)
 	fs.SetInterspersed(true)
 	var timeout time.Duration
-	var out string
 
 	fs.DurationVar(&timeout, "timeout", 30*time.Second, "client-side timeout")
-	fs.StringVar(&out, "out", "", "output directory (default: .sectool/requests/<auto>)")
 
 	fs.Usage = func() {
 		fmt.Fprint(os.Stderr, `Usage: sectool proxy export <flow_id> [options]
@@ -338,7 +333,7 @@ Options:
 		return errors.New("flow_id required (get from 'sectool proxy list' with filters)")
 	}
 
-	return export(timeout, fs.Args()[0], out)
+	return export(timeout, fs.Args()[0])
 }
 
 // TODO - planned intercept feature

sectool/replay/flags.go

@@ -45,7 +45,7 @@ Workflow:
   3. Or export, edit files, then replay:
        sectool proxy export <flow_id>
        # edit .sectool/requests/<bundle_id>/body
-       sectool replay send --bundle .sectool/requests/<bundle_id>
+       sectool replay send --bundle <bundle_id>
 
 ---
 
@@ -55,7 +55,7 @@ replay send [options]
 
   Input sources (exactly one required):
     --flow <flow_id>      replay from proxy history
-    --bundle <path>       replay from exported bundle directory
+    --bundle <bundle_id>  replay from exported bundle (from proxy export)
     --file <path>         replay from raw HTTP file (- for stdin)
 
   Request modifications (combine multiple):
@@ -88,7 +88,7 @@ replay send [options]
     sectool replay send --flow f7k2x --set-header "Authorization: Bearer tok"
     sectool replay send --flow f7k2x --path /api/v2/users --set-query "id=123"
     sectool replay send --flow f7k2x --set-json "user.role=admin"
-    sectool replay send --bundle .sectool/requests/abc123
+    sectool replay send --bundle abc123
     sectool replay send --file request.http --body payload
 
   Output: Markdown with replay_id, status, headers, body preview
@@ -119,7 +119,7 @@ func parseSend(args []string) error {
 
 	fs.DurationVar(&timeout, "timeout", 30*time.Second, "client-side timeout")
 	fs.StringVar(&flow, "flow", "", "flow_id to replay from proxy history")
-	fs.StringVar(&bundle, "bundle", "", "path to request bundle directory")
+	fs.StringVar(&bundle, "bundle", "", "bundle_id from proxy export")
 	fs.StringVar(&file, "file", "", "path to request.http file (- for stdin)")
 	fs.StringVar(&body, "body", "", "path to body file (use with --file)")
 	fs.StringVar(&target, "target", "", "override target URL (scheme://host:port)")
@@ -142,7 +142,7 @@ Send a request through the HTTP backend.
 
 Input sources (exactly one required):
   --flow <flow_id>      Replay from proxy history (get flow_id from 'sectool proxy list')
-  --bundle <path>       Replay from exported bundle (create with 'sectool proxy export')
+  --bundle <bundle_id>  Replay from exported bundle (create with 'sectool proxy export')
   --file <path>         Replay from raw HTTP file (- for stdin)
 
 File format (--file):

sectool/replay/replay.go

@@ -69,9 +69,15 @@ func send(timeout time.Duration, flow, bundle, file, body, target string, header
 		return fmt.Errorf("failed to start service: %w (check %s)", err, client.LogPath())
 	}
 
+	// Extract base name for backward compat with full paths
+	bundleID := bundle
+	if bundle != "" {
+		bundleID = filepath.Base(bundle)
+	}
+
 	req := &service.ReplaySendRequest{
 		FlowID:          flow,
-		BundlePath:      bundle,
+		BundleID:        bundleID,
 		FilePath:        file,
 		BodyPath:        body,
 		Target:          target,

sectool/service/backend_oast_interactsh_test.go

@@ -13,6 +13,7 @@ func TestInteractshBackend_CreateAndClose(t *testing.T) {
 	if testing.Short() {
 		t.Skip("skipping integration test in short mode")
 	}
+	t.Parallel()
 
 	backend := NewInteractshBackend()
 	t.Cleanup(func() { _ = backend.Close() })
@@ -59,6 +60,7 @@ func TestInteractshBackend_PollSession(t *testing.T) {
 		if testing.Short() {
 			t.Skip("skipping integration test in short mode")
 		}
+		t.Parallel()
 
 		backend := NewInteractshBackend()
 		t.Cleanup(func() { _ = backend.Close() })
@@ -278,7 +280,7 @@ func TestInteractshBackend_PollSession(t *testing.T) {
 			done <- pollResult{result, err}
 		}()
 
-		time.Sleep(50 * time.Millisecond)
+		time.Sleep(20 * time.Millisecond)
 		sess.mu.Lock()
 		sess.events = append(sess.events, OastEventInfo{
 			ID:   "new_event",

sectool/service/handler_test.go

@@ -10,7 +10,8 @@ import (
 )
 
 // testServerWithMCP creates a test server with mock MCP and returns cleanup func.
-func testServerWithMCP(t *testing.T) (*Server, *TestMCPServer) {
+// Returns server, mock MCP, and the workDir for creating test files within bounds.
+func testServerWithMCP(t *testing.T) (*Server, *TestMCPServer, string) {
 	t.Helper()
 
 	mockMCP := NewTestMCPServer(t)
@@ -34,7 +35,7 @@ func testServerWithMCP(t *testing.T) (*Server, *TestMCPServer) {
 		<-serverErr
 	})
 
-	return srv, mockMCP
+	return srv, mockMCP, workDir
 }
 
 // doRequest is a helper to make HTTP requests to the server.

sectool/service/ids/ids.go

@@ -30,3 +30,20 @@ func Generate(length int) string {
 
 	return string(result)
 }
+
+// IsValid returns true if the ID contains only valid base62 characters.
+// Used to validate user-supplied IDs to prevent path traversal.
+func IsValid(id string) bool {
+	if id == "" {
+		return false
+	}
+	for _, c := range id {
+		isDigit := c >= '0' && c <= '9'
+		isUpper := c >= 'A' && c <= 'Z'
+		isLower := c >= 'a' && c <= 'z'
+		if !isDigit && !isUpper && !isLower {
+			return false
+		}
+	}
+	return true
+}

sectool/service/ids/ids_test.go

@@ -54,6 +54,37 @@ func TestGenerate(t *testing.T) {
 	})
 }
 
+func TestIsValid(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name  string
+		id    string
+		valid bool
+	}{
+		{"valid_alphanumeric", "abc123XYZ", true},
+		{"valid_numbers", "123456", true},
+		{"valid_lowercase", "abcdef", true},
+		{"valid_uppercase", "ABCDEF", true},
+		{"valid_generated", Generate(DefaultLength), true},
+		{"empty", "", false},
+		{"with_slash", "abc/def", false},
+		{"with_backslash", "abc\\def", false},
+		{"with_dot", "abc.def", false},
+		{"with_dotdot", "..", false},
+		{"path_traversal", "../etc/passwd", false},
+		{"with_space", "abc def", false},
+		{"with_dash", "abc-def", false},
+		{"with_underscore", "abc_def", false},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			assert.Equal(t, tc.valid, IsValid(tc.id))
+		})
+	}
+}
+
 func BenchmarkGenerate(b *testing.B) {
 	for range b.N {
 		Generate(DefaultLength)