Skip to content

🔒 Fix path traversal vulnerability in folder creation and object handlers#64

Merged
damacus merged 1 commit into
mainfrom
fix/path-traversal-folder-creation-10173848129759502010
May 12, 2026
Merged

🔒 Fix path traversal vulnerability in folder creation and object handlers#64
damacus merged 1 commit into
mainfrom
fix/path-traversal-folder-creation-10173848129759502010

Conversation

@damacus
Copy link
Copy Markdown
Owner

@damacus damacus commented May 11, 2026

🎯 What: This PR fixes a path traversal vulnerability in CreateFolder where the folderName argument was concatenated directly with prefix without proper sanitization. It also extends this protection to other object operations like UploadObject, DeleteObject, and DownloadObject for robust defense-in-depth against malicious directory traversal payloads.

⚠️ Risk: Without this validation, a malicious actor could pass ../../ sequences in the folderName or prefix fields. Since these map directly to the S3 object keys created in MinIO, an attacker could traverse and place/delete arbitrary object keys outside the intended namespace, potentially overwriting legitimate files or escaping expected logical boundaries.

🛡️ Solution: Added a strict helper function isValidObjectKey that explicitly blocks inputs containing directory traversal (..) or absolute paths (leading /). This is enforced across multiple relevant handlers (CreateFolder, UploadObject, DeleteObject, DownloadObject), returning an HTTP 400 Bad Request error upon violation. Included tests to verify this prevention logic works as intended.

PR created automatically by Jules for task 10173848129759502010 started by @damacus

@google-labs-jules @damacus
fix(security): prevent path traversal in object keys and folder creation
ac8c606 
Co-authored-by: damacus <40786+damacus@users.noreply.github.com>
@google-labs-jules
Copy link
Copy Markdown
Contributor

google-labs-jules Bot commented May 11, 2026

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

@damacus damacus merged commit d0464ff into main May 12, 2026
4 checks passed
@damacus damacus deleted the fix/path-traversal-folder-creation-10173848129759502010 branch May 12, 2026 10:38
@patchbotmcbotface patchbotmcbotface Bot mentioned this pull request May 12, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@damacus