codebadger

The server has critical security vulnerabilities. Specifically, tools like `get_method_source` and `get_code_snippet` construct file paths using user-provided `filename` parameters without sufficient path traversal validation. This allows an attacker to use `../` sequences in the `filename` to escape the intended codebase directory and potentially read arbitrary files from the host filesystem (since the Python server runs on the host and mounts the playground directory). The `find_bounds_checks` tool also interpolates user-provided `filename` directly into a Scala query, which could lead to path traversal vulnerabilities if Joern's internal file resolution doesn't fully sanitize it. The `run_cpgql_query` tool explicitly allows execution of arbitrary CPGQL queries, posing a risk of system information disclosure or manipulation within the sandboxed (but powerful) Joern environment, despite some basic input validation. The default server configuration listens on `0.0.0.0` (all network interfaces) and maps a wide range of ports (2000-2999) from the Docker container to the host, increasing the network attack surface.