fix: prevent path traversal in database path resolution

resolve_database_path() passed user input directly to PathBuf::join()
without validation. Since join() replaces the base on absolute paths and
preserves ".." segments, a malicious path could escape the app config
directory.

Add multi-layer validation in validate_and_resolve(): reject null bytes,
absolute paths, and parent-directory components, then canonicalize and
verify containment. In-memory database paths are passed through
unchanged.

Refactor resolve_migration_path() to delegate to resolve_database_path()
so all entry points share the same validation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: pmorris-dev

src/error.rs

@@ -27,6 +27,10 @@ pub enum Error {
    #[error("invalid database path: {0}")]
    InvalidPath(String),
 
+   /// Path traversal attempt detected.
+   #[error("path traversal not allowed: {0}")]
+   PathTraversal(String),
+
    /// Attempted to access a database that hasn't been loaded.
    #[error("database {0} not loaded")]
    DatabaseNotLoaded(String),
@@ -67,6 +71,7 @@ impl Error {
          Error::Toolkit(e) => e.error_code(),
          Error::Migration(_) => "MIGRATION_ERROR".to_string(),
          Error::InvalidPath(_) => "INVALID_PATH".to_string(),
+         Error::PathTraversal(_) => "PATH_TRAVERSAL".to_string(),
          Error::DatabaseNotLoaded(_) => "DATABASE_NOT_LOADED".to_string(),
          Error::ObservationNotEnabled(_) => "OBSERVATION_NOT_ENABLED".to_string(),
          Error::Other(_) => "ERROR".to_string(),

src/lib.rs

@@ -473,17 +473,13 @@ fn emit_migration_event<R: Runtime>(
    }
 }
 
-/// Resolve database path for migrations (similar to wrapper but accessible at init).
+/// Resolve database path for migrations.
+///
+/// Delegates to `resolve::resolve_database_path` to ensure consistent path validation
+/// across all entry points.
 fn resolve_migration_path<R: Runtime>(
    path: &str,
    app: &tauri::AppHandle<R>,
 ) -> Result<std::path::PathBuf> {
-   let app_path = app
-      .path()
-      .app_config_dir()
-      .map_err(|_| Error::InvalidPath("No app config path found".to_string()))?;
-
-   std::fs::create_dir_all(&app_path)?;
-
-   Ok(app_path.join(path))
+   crate::resolve::resolve_database_path(path, app)
 }

src/resolve.rs

@@ -1,5 +1,5 @@
 use std::fs::create_dir_all;
-use std::path::PathBuf;
+use std::path::{Component, Path, PathBuf};
 
 use sqlx_sqlite_conn_mgr::SqliteDatabaseConfig;
 use sqlx_sqlite_toolkit::DatabaseWrapper;
@@ -23,8 +23,11 @@ pub async fn connect<R: Runtime>(
 
 /// Resolve database file path relative to app config directory.
 ///
-/// Paths are joined to `app_config_dir()` (e.g., `Library/Application Support/${bundleIdentifier}` on iOS).
-/// Special paths like `:memory:` are passed through unchanged.
+/// Paths are joined to `app_config_dir()` (e.g., `Library/Application Support/${bundleIdentifier}`
+/// on iOS). Special paths like `:memory:` are passed through unchanged.
+///
+/// Returns `Err(Error::PathTraversal)` if the path attempts to escape the app config directory
+/// via absolute paths, `..` segments, or null bytes.
 pub fn resolve_database_path<R: Runtime>(path: &str, app: &AppHandle<R>) -> Result<PathBuf, Error> {
    let app_path = app
       .path()
@@ -33,6 +36,172 @@ pub fn resolve_database_path<R: Runtime>(path: &str, app: &AppHandle<R>) -> Resu
 
    create_dir_all(&app_path)?;
 
-   // Join the relative path to the app config directory
-   Ok(app_path.join(path))
+   validate_and_resolve(path, &app_path)
+}
+
+/// Validate a user-supplied path and resolve it against a base directory.
+///
+/// In-memory database paths are passed through unchanged. All other paths are validated
+/// to ensure they cannot escape the base directory.
+fn validate_and_resolve(path: &str, base: &Path) -> Result<PathBuf, Error> {
+   // Pass through in-memory database paths unchanged — they don't touch the filesystem.
+   // Matches the same patterns as `is_memory_database` in sqlx-sqlite-conn-mgr.
+   if is_memory_path(path) {
+      return Ok(PathBuf::from(path));
+   }
+
+   // Reject null bytes — these can truncate paths in C-level filesystem calls
+   if path.contains('\0') {
+      return Err(Error::PathTraversal("path contains null byte".to_string()));
+   }
+
+   let rel = Path::new(path);
+
+   // Reject absolute paths — PathBuf::join replaces the base when given an absolute path
+   if rel.is_absolute() {
+      return Err(Error::PathTraversal(
+         "absolute paths are not allowed".to_string(),
+      ));
+   }
+
+   // Reject parent directory components — prevents escaping the base via `../`
+   for component in rel.components() {
+      if matches!(component, Component::ParentDir) {
+         return Err(Error::PathTraversal(
+            "parent directory references are not allowed".to_string(),
+         ));
+      }
+   }
+
+   // Join and canonicalize to verify containment. The parent directory is canonicalized
+   // because the file may not exist yet.
+   let joined = base.join(rel);
+   let canonical_base = base
+      .canonicalize()
+      .map_err(|e| Error::InvalidPath(format!("cannot canonicalize base path: {e}")))?;
+
+   let canonical_resolved = if joined.exists() {
+      joined.canonicalize()
+   } else {
+      // Canonicalize the parent and re-append the file name
+      joined
+         .parent()
+         .ok_or_else(|| Error::InvalidPath("path has no parent".to_string()))?
+         .canonicalize()
+         .map(|parent| parent.join(joined.file_name().unwrap_or_default()))
+   }
+   .map_err(|e| Error::InvalidPath(format!("cannot canonicalize path: {e}")))?;
+
+   if !canonical_resolved.starts_with(&canonical_base) {
+      return Err(Error::PathTraversal(
+         "resolved path escapes the base directory".to_string(),
+      ));
+   }
+
+   // Return the original (non-canonicalized) joined path for consistency with how the
+   // rest of the codebase references database paths.
+   Ok(joined)
+}
+
+/// Check if a path string represents an in-memory SQLite database.
+///
+/// Matches the same patterns as `is_memory_database` in `sqlx-sqlite-conn-mgr`:
+/// `:memory:`, `file::memory:*` URIs, and `mode=memory` query parameters.
+fn is_memory_path(path: &str) -> bool {
+   path == ":memory:"
+      || path.starts_with("file::memory:")
+      || (path.starts_with("file:") && path.contains("mode=memory"))
+}
+
+#[cfg(test)]
+mod tests {
+   use super::*;
+   use std::fs;
+
+   /// Helper that creates a temporary base directory for testing.
+   fn make_temp_base() -> PathBuf {
+      let dir = std::env::temp_dir().join(format!("tauri_sqlite_test_{}", std::process::id()));
+      fs::create_dir_all(&dir).unwrap();
+      dir
+   }
+
+   #[test]
+   fn test_simple_filename() {
+      let base = make_temp_base();
+      let result = validate_and_resolve("mydb.db", &base).unwrap();
+      assert_eq!(result, base.join("mydb.db"));
+   }
+
+   #[test]
+   fn test_subdirectory_path() {
+      let base = make_temp_base();
+      // Create the subdirectory so canonicalize can resolve it
+      fs::create_dir_all(base.join("subdir")).unwrap();
+      let result = validate_and_resolve("subdir/mydb.db", &base).unwrap();
+      assert_eq!(result, base.join("subdir/mydb.db"));
+   }
+
+   #[test]
+   fn test_memory_passthrough() {
+      let base = make_temp_base();
+      assert_eq!(
+         validate_and_resolve(":memory:", &base).unwrap(),
+         PathBuf::from(":memory:"),
+      );
+   }
+
+   #[test]
+   fn test_file_memory_uri_passthrough() {
+      let base = make_temp_base();
+      assert_eq!(
+         validate_and_resolve("file::memory:?cache=shared", &base).unwrap(),
+         PathBuf::from("file::memory:?cache=shared"),
+      );
+   }
+
+   #[test]
+   fn test_mode_memory_passthrough() {
+      let base = make_temp_base();
+      assert_eq!(
+         validate_and_resolve("file:test?mode=memory", &base).unwrap(),
+         PathBuf::from("file:test?mode=memory"),
+      );
+   }
+
+   #[test]
+   fn test_rejects_parent_traversal() {
+      let base = make_temp_base();
+      let err = validate_and_resolve("../../../etc/passwd", &base).unwrap_err();
+      assert!(matches!(err, Error::PathTraversal(_)));
+   }
+
+   #[test]
+   fn test_rejects_absolute_path() {
+      let base = make_temp_base();
+      let err = validate_and_resolve("/etc/passwd", &base).unwrap_err();
+      assert!(matches!(err, Error::PathTraversal(_)));
+   }
+
+   #[test]
+   fn test_rejects_embedded_traversal() {
+      let base = make_temp_base();
+      let err = validate_and_resolve("foo/../../bar", &base).unwrap_err();
+      assert!(matches!(err, Error::PathTraversal(_)));
+   }
+
+   #[test]
+   fn test_rejects_null_byte() {
+      let base = make_temp_base();
+      let err = validate_and_resolve("path\0evil", &base).unwrap_err();
+      assert!(matches!(err, Error::PathTraversal(_)));
+   }
+
+   #[test]
+   fn test_rejects_non_uri_mode_memory() {
+      let base = make_temp_base();
+      // A bare filename containing "mode=memory" is not a valid SQLite URI —
+      // it should go through normal path validation, not be passed through.
+      let result = validate_and_resolve("evil.db?mode=memory", &base).unwrap();
+      assert_eq!(result, base.join("evil.db?mode=memory"));
+   }
 }