Skip to content

fix(security): improve path traversal validation with comprehensive test #25515

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
fsdkibe wants to merge 9 commits into
base: master
Choose a base branch
from
Open

fix(security): improve path traversal validation with comprehensive test #25515

fsdkibe wants to merge 9 commits into from
+226 −47

Conversation

@fsdkibe
Copy link

@fsdkibe fsdkibe commented Dec 4, 2025

Description

This PR enhances the security logic in EnforceToCurrentRoot by refactoring it to use filepath.Rel for validation. This serves as a security hardening improvement for the path traversal logic discussed in #25370.

Instead of manual string prefix checking, this implementation uses Go's standard library to robustly handle complex paths (including .. notation), ensuring strict directory containment.

Implementation changes

  • Replaced manual string prefix checking with filepath.Rel for lexical containment.
  • Added filepath.Clean to normalize paths before validation.
  • Added explicit checks for .. to detect and block escape attempts.
  • Simplified the function signature and logic for better maintainability.

Test improvements

  • Added 10 core validation test cases covering various traversal attempts.
  • Added edge case handling (empty paths, double slashes).
  • Verified performance (~316ns/op).

Related

Checklist:

  • Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
  • The title of the PR states what changed and the related issues number (used for the release note).
  • The title of the PR conforms to the Title of the PR
  • I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
  • I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
  • Does this PR require documentation updates?
  • I've updated documentation as required by this PR.
  • I have signed off all my commits as required by DCO
  • I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
  • My build is green (troubleshooting builds).
  • My new feature complies with the feature status guidelines.
  • I have added a brief description of why this PR is necessary and/or what this PR solves.
  • Optional. My organization is added to USERS.md.
  • Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

@fsdkibe fsdkibe requested a review from a team as a code owner December 4, 2025 14:27
@bunnyshell
Copy link

bunnyshell bot commented Dec 4, 2025
edited
Loading

🔴 Preview Environment stopped on Bunnyshell

See: Environment Details | Pipeline Logs

Available commands (reply to this comment):

  • 🔵 /bns:start to start the environment
  • 🚀 /bns:deploy to redeploy the environment
  • /bns:delete to remove the environment

@fsdkibe fsdkibe mentioned this pull request Dec 4, 2025
Draft
14 tasks
@codecov
Copy link

codecov bot commented Dec 4, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 86.66667% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 62.48%. Comparing base (7cdc0f9) to head (ad247a1).

Files with missing lines Patch % Lines
util/app/path/path.go 85.71% 1 Missing and 1 partial ⚠️
util/security/path_traversal.go 87.50% 1 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #25515      +/-   ##
==========================================
+ Coverage   62.45%   62.48%   +0.03%     
==========================================
  Files         351      351              
  Lines       49490    49495       +5     
==========================================
+ Hits        30910    30928      +18     
+ Misses      15621    15606      -15     
- Partials     2959     2961       +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

ppapapetrou76
ppapapetrou76 approved these changes Dec 4, 2025
View reviewed changes
Copy link
Contributor

@ppapapetrou76 ppapapetrou76 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - nice
Clean and concise

blakepettersson
blakepettersson reviewed Dec 4, 2025
View reviewed changes
util/security/path_traversal.go
}
return requestedDir + string(filepath.Separator) + requestedFile, nil
}
cleanRoot := filepath.Clean(currentRoot)
Copy link
Member

@blakepettersson blakepettersson Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we please use os.Root for this?

blakepettersson
blakepettersson requested changes Dec 4, 2025
View reviewed changes
Copy link
Member

@blakepettersson blakepettersson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See my comment

@fsdkibe fsdkibe force-pushed the feat/issue-25366-path-security branch from 5dbf279 to d264016 Compare December 4, 2025 20:08
@fsdkibe fsdkibe force-pushed the feat/issue-25366-path-security branch from 76bcf07 to 3951087 Compare December 4, 2025 20:28
@fsdkibe fsdkibe force-pushed the feat/issue-25366-path-security branch from 2818859 to 2daa044 Compare December 5, 2025 05:53
@fsdkibe fsdkibe requested review from a team as code owners December 5, 2025 05:53
@fsdkibe fsdkibe force-pushed the feat/issue-25366-path-security branch from 2daa044 to 3951087 Compare December 5, 2025 05:57
@fsdkibe fsdkibe force-pushed the feat/issue-25366-path-security branch 4 times, most recently from 8d91975 to 3079182 Compare December 5, 2025 09:09
@fsdkibe
chore: trigger CI re-run
ad247a1 
Signed-off-by: Duncan Kibet <[email protected]>
@fsdkibe fsdkibe force-pushed the feat/issue-25366-path-security branch from 3079182 to ad247a1 Compare December 5, 2025 09:34
@fsdkibe
Copy link
Author

fsdkibe commented Dec 5, 2025
edited
Loading

@blakepettersson, as requested, I have made the necessary changes. I've also incorporated the necessary path normalization changes from PR #25370 into this branch to ensure all tests pass.

The path normalization changes were needed because the security refactor's tests require properly cleaned paths to validate correctly.

If the changes are now in line with what you suggested, then we can close the other PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@blakepettersson blakepettersson blakepettersson requested changes

+1 more reviewer

@ppapapetrou76 ppapapetrou76 ppapapetrou76 approved these changes

Reviewers whose approvals may not affect merge requirements

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fsdkibe @blakepettersson @ppapapetrou76