fix(security): prevent path traversal in S3 and Azure store providers

[heatxsink]

Bug Summary

The S3 and Azure storage providers lack path traversal validation in their key/blob-name construction methods. Unlike FilesystemStore, which properly uses Path.resolve() and Path.relative_to() to prevent ../ escapes, the cloud providers simply concatenate the configured prefix with the user-supplied path. A project_id or source parameter containing ../../other-user/ can escape the intended directory structure and access other tenants' data on S3/Azure.

Affected Files and Lines

• packages/ai/src/ai/account/store_providers/s3.py — S3Store._get_key() (lines 349-354)
• packages/ai/src/ai/account/store_providers/azure.py — AzureBlobStore._get_blob_name() (lines 341-346)

Root Cause

Both methods perform only a backslash-to-forward-slash replacement and then concatenate the prefix with the path:

def _get_key(self, path: str) -> str:
    path = path.replace('\\', '/')
    if self._prefix:
        return f'{self._prefix}/{path}'
    return path

No normalization or boundary check is applied, so ../ sequences in the path escape the prefix boundary.

Reproduction Steps

1. Configure an S3Store or AzureBlobStore with prefix tenant-A/data
2. Call _get_key('../../tenant-B/secrets.txt') (or the Azure equivalent)
3. Before fix: returns tenant-A/data/../../tenant-B/secrets.txt, which S3/Azure resolves to tenant-B/secrets.txt — cross-tenant access
4. After fix: raises StorageError('Path traversal detected: ...')

Severity: HIGH

Cross-tenant data access in a multi-tenant cloud storage system. Any API endpoint that accepts user-supplied file paths and passes them through to the store providers is affected.

Fix Description

Added path traversal validation to both _get_key() (S3) and _get_blob_name() (Azure):

1. Use posixpath.normpath() to canonicalize the full key/blob-name (resolves ../ sequences)
2. Verify the normalized result still starts with the configured prefix
3. Raise StorageError if traversal is detected

This mirrors the approach used by FilesystemStore._get_full_path(), which uses Path.resolve() + Path.relative_to() for the same purpose.

Tests/Validation

Added packages/ai/tests/ai/account/test_path_traversal.py with 14 test cases (7 per provider) covering:

• Normal paths resolve correctly
• Nested subdirectory paths work
• ../../ escaping the prefix is rejected
• Single ../ escaping a shallow prefix is rejected
• Backslash-based traversal (..\\..\\) is rejected
• Safe internal ../ (stays within prefix) is allowed
• No-prefix mode still normalizes paths

#frontier-tower-hackathon

[coderabbitai]

Warning

Rate limit exceeded

@heatxsink has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 8 minutes and 11 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1346ea92-a33d-4afb-9488-fc9be6594b1a

📥 Commits

Reviewing files that changed from the base of the PR and between fc3b4b5 and ebe0bbc.

📒 Files selected for processing (3)

• packages/ai/src/ai/account/store_providers/azure.py
• packages/ai/src/ai/account/store_providers/s3.py
• packages/ai/tests/ai/account/test_path_traversal.py

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[heatxsink]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.