Reject absolute paths in devToolsFileFromPath

[adilburaksen]

Problem

LocalFileSystem.devToolsFileFromPath() is documented as "Only files within ~/.flutter-devtools/ can be accessed" and enforces that with pathFromDevToolsDir.contains('..'). However it does not reject absolute paths. path.join(devToolsDir(), pathFromDevToolsDir) discards the base directory when the second argument is absolute, so an absolute pathFromDevToolsDir (which contains no ..) escapes the intended directory.

This is reachable via getBaseAppSizeFile/getTestAppSizeFile (handlers/_app_size.dart, appSizeBase/appSizeTest parameters) -> devToolsFileAsJson -> devToolsFileFromPath, allowing a caller to read an arbitrary .json file on the machine rather than only files under ~/.flutter-devtools/.

Fix

• Reject absolute paths (path.isAbsolute) in addition to the existing .. check.
• Add a defense-in-depth path.isWithin(devToolsDir, resolvedPath) containment check on the resolved path.

[gemini-code-assist]

Code Review

This pull request improves path validation in devToolsFileFromPath to prevent arbitrary file reads by rejecting absolute paths and ensuring the resolved path is within the DevTools directory. The reviewer recommends adding automated tests to verify these security-critical checks and prevent regressions.

[gemini-code-assist]

[MUST-FIX] Please add automated tests to verify these security-critical path validation checks.\n\nSince this change fixes a security vulnerability (arbitrary file read via path traversal/absolute paths), it is crucial to have automated tests to prevent regressions.\n\nThe tests should cover:\n- Valid relative paths (should be allowed and return the file if it exists).\n- Absolute paths (should be rejected).\n- Path traversal attempts using .. (should be rejected).\n- Root-relative paths (e.g., starting with / or \\ on Windows, which might bypass path.isAbsolute but should be caught by path.isWithin).

References

1. All changes should include automated tests to ensure correctness and prevent regressions. ^(link)