fix(rag): reject unsafe runtime file paths

src/langbot/pkg/api/http/controller/groups/plugins.py

@@ -39,6 +39,16 @@ def _normalize_plugin_asset_path(filepath: str) -> str | None:
     return f'assets/{normalized}'
 
 
+def _get_request_origin() -> str:
+    """Return the public request origin, respecting reverse-proxy headers."""
+    forwarded_proto = quart.request.headers.get('X-Forwarded-Proto', '').split(',')[0].strip()
+    forwarded_host = quart.request.headers.get('X-Forwarded-Host', '').split(',')[0].strip()
+
+    scheme = forwarded_proto or quart.request.scheme
+    host = forwarded_host or quart.request.host
+    return f'{scheme}://{host}'
+
+
 @group.group_class('plugins', '/api/v1/plugins')
 class PluginsRouterGroup(group.RouterGroup):
     async def _check_extensions_limit(self) -> str | None:
@@ -189,7 +199,7 @@ class PluginsRouterGroup(group.RouterGroup):
             # CSP for HTML pages served to sandboxed iframes (opaque origin).
             # 'self' doesn't work in sandboxed iframes — use actual server origin.
             if mime_type and mime_type.startswith('text/html'):
-                origin = f'{quart.request.scheme}://{quart.request.host}'
+                origin = _get_request_origin()
                 resp.headers['Content-Security-Policy'] = (
                     f'default-src {origin}; '
                     f"script-src {origin} 'unsafe-inline'; "

src/langbot/pkg/rag/service/runtime.py

@@ -1,8 +1,12 @@
 from __future__ import annotations
 
 import posixpath
-from typing import Any
+import re
-from langbot.pkg.core import app
+from typing import TYPE_CHECKING, Any
+from urllib.parse import unquote
+
+if TYPE_CHECKING:
+    from langbot.pkg.core import app
 
 
 class RAGRuntimeService:
@@ -109,8 +113,17 @@ class RAGRuntimeService:
         regardless of the underlying storage provider.
         """
         # Validate storage_path to prevent path traversal
-        normalized = posixpath.normpath(storage_path)
+        decoded_path = unquote(storage_path).replace('\\', '/')
-        if normalized.startswith('/') or '..' in normalized.split('/'):
+        decoded_segments = decoded_path.split('/')
+        normalized = posixpath.normpath(decoded_path)
+        if (
+            not storage_path
+            or '\x00' in decoded_path
+            or normalized.startswith('/')
+            or '..' in decoded_segments
+            or '..' in normalized.split('/')
+            or re.match(r'^[A-Za-z]:/', normalized)
+        ):
             raise ValueError('Invalid storage path')
         content_bytes = await self.ap.storage_mgr.storage_provider.load(normalized)
         return content_bytes if content_bytes else b''

tests/unit_tests/rag/test_runtime_service.py

@@ -0,0 +1,68 @@
+from __future__ import annotations
+
+from types import SimpleNamespace
+
+import pytest
+
+from langbot.pkg.rag.service.runtime import RAGRuntimeService
+
+
+class DummyStorageProvider:
+    def __init__(self, content: bytes | None = b'data'):
+        self.content = content
+        self.loaded_paths: list[str] = []
+
+    async def load(self, path: str):
+        self.loaded_paths.append(path)
+        return self.content
+
+
+def make_service(storage_provider: DummyStorageProvider) -> RAGRuntimeService:
+    return RAGRuntimeService(SimpleNamespace(storage_mgr=SimpleNamespace(storage_provider=storage_provider)))
+
+
+@pytest.mark.asyncio
+async def test_get_file_stream_normalizes_safe_path():
+    storage_provider = DummyStorageProvider()
+    service = make_service(storage_provider)
+
+    content = await service.get_file_stream('safe/./nested/file.pdf')
+
+    assert content == b'data'
+    assert storage_provider.loaded_paths == ['safe/nested/file.pdf']
+
+
+@pytest.mark.asyncio
+@pytest.mark.parametrize(
+    'storage_path',
+    [
+        '',
+        '../secret.txt',
+        '/absolute/path.txt',
+        '..\\secret.txt',
+        'nested\\..\\secret.txt',
+        '%2e%2e/secret.txt',
+        'nested/%2e%2e/secret.txt',
+        'C:\\secret.txt',
+        'safe/\x00file.txt',
+    ],
+)
+async def test_get_file_stream_rejects_unsafe_paths(storage_path: str):
+    storage_provider = DummyStorageProvider()
+    service = make_service(storage_provider)
+
+    with pytest.raises(ValueError, match='Invalid storage path'):
+        await service.get_file_stream(storage_path)
+
+    assert storage_provider.loaded_paths == []
+
+
+@pytest.mark.asyncio
+async def test_get_file_stream_returns_empty_bytes_for_missing_content():
+    storage_provider = DummyStorageProvider(content=None)
+    service = make_service(storage_provider)
+
+    content = await service.get_file_stream('safe/file.pdf')
+
+    assert content == b''
+    assert storage_provider.loaded_paths == ['safe/file.pdf']

web/src/app/infra/http/BackendClient.ts

@@ -590,6 +590,9 @@ export class BackendClient extends BaseHttpClient {
     name: string,
     filepath: string,
   ): string {
+    if (this.instance.defaults.baseURL === '/') {
+      return `${window.location.origin}/api/v1/plugins/${author}/${name}/assets/${filepath}`;
+    }
     return (
       this.instance.defaults.baseURL +
       `/api/v1/plugins/${author}/${name}/assets/${filepath}`