## SBOM Task Functions Contain Critical Path Traversal Vulnerability, Exposing Cross-Project File Access
A critical security vulnerability has been identified in four key SBOM (Software Bill of Materials) task functions within the codebase. The functions `generate_sbom`, `score_tool`, `score_attestation`, and `score_osv` directly use user-supplied `args.file_path` and `args.revision_number` to construct file system paths without validating that the resulting path is contained within the intended project or revision directory. This flaw creates a classic Time-of-Check-Time-of-Use (TOCTOU) vulnerability, as the initial form submission validates the path using `safe.RelPath`, but the task function later reuses the raw string value without re-validating its containment.

The vulnerability is located in `atr/tasks/sbom.py` across lines 50-120, 140-180, 200-240, and 260-300. An attacker capable of modifying the database or the task queue could exploit this oversight to inject path traversal sequences (e.g., `../../../`). This would allow unauthorized read or write access to files in other projects' directories, bypassing intended access controls and isolation boundaries.

This flaw represents a significant security risk for any deployment using these SBOM analysis tasks, as it undermines the fundamental security principle of containment. It could lead to data leakage, data corruption, or privilege escalation across project boundaries. The issue is present at ASVS Levels 1 and 2, indicating a failure in basic security controls. Immediate remediation is required to re-validate path containment within the task functions themselves to close the TOCTOU window.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security_vulnerability, path_traversal, sbom, code_analysis, TOCTOU
- **Credibility**: unverified
- **Published**: 2026-04-03 15:27:03
- **ID**: 49294
- **URL**: https://whisperx.ai/en/intel/49294