π‘οΈ Sentinel: [CRITICAL] Fix path traversal in checksum and UploadId#102
π‘οΈ Sentinel: [CRITICAL] Fix path traversal in checksum and UploadId#102tomdesair wants to merge 2 commits into
Conversation
π¨ Severity: CRITICAL π‘ Vulnerability: Path traversal vulnerability allowed files to be read and created outside the designated upload directory. Checksum fields and UploadId values weren't validated against common path traversal characters like `..`, `/` or `\`. π― Impact: Arbitrary file write/overwrite and read outside of the intended app directories. π§ Fix: - Added `isSafePathComponent` helper method in `AbstractDiskBasedService.java` to block unsafe inputs. - Validated `UploadId` inputs in `AbstractDiskBasedService.getPathInStorageDirectory`. - Verified `checksum` values in `DiskStorageService` functions (`getUploadInfoByChecksum`, `update`, `terminateUpload`) prior to attempting filesystem operations. - Added comprehensive unit test coverage (`testUnsafeChecksumValue`, `testGetUploadInfoByChecksumUnsafe`, `testPathTraversalUploadIdEncoded`) to enforce validation. β Verification: Ran unit tests to ensure safe path operations complete and path traversal attempts raise expected exceptions (`IOException`, `IllegalArgumentException`). Code formatting passes checkstyle. Co-authored-by: tomdesair <14034630+tomdesair@users.noreply.github.com>
|
π Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a π emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
π¨ Severity: CRITICAL
π‘ Vulnerability: Path traversal vulnerability allowed files to be read and created outside the designated upload directory. Checksum fields and UploadId values weren't validated against common path traversal characters like `..`, `/` or `\`.
π― Impact: Arbitrary file write/overwrite and read outside of the intended app directories.
π§ Fix:
- Added `isSafePathComponent` helper method in `AbstractDiskBasedService.java` to block unsafe inputs.
- Validated `UploadId` inputs in `AbstractDiskBasedService.getPathInStorageDirectory`.
- Verified `checksum` values in `DiskStorageService` functions (`getUploadInfoByChecksum`, `update`, `terminateUpload`) prior to attempting filesystem operations.
- Fixed `DiskLockingServiceTest.testRequestLockReleaseCreatesParentDirectory` and removed `.resolve("subdir")` testing invalid upload ids since it now throws an error.
- Added comprehensive unit test coverage (`testUnsafeChecksumValue`, `testGetUploadInfoByChecksumUnsafe`, `testPathTraversalUploadIdEncoded`) to enforce validation.
β
Verification: Ran unit tests to ensure safe path operations complete and path traversal attempts raise expected exceptions (`IOException`, `IllegalArgumentException`). Code formatting passes checkstyle.
Co-authored-by: tomdesair <14034630+tomdesair@users.noreply.github.com>
π‘οΈ Sentinel: [CRITICAL] Fix path traversal in checksum and UploadId
π¨ Severity: CRITICAL
π‘ Vulnerability: Path traversal vulnerability allowed files to be read and created outside the designated upload directory. Checksum fields and UploadId values weren't validated against common path traversal characters like
..,/or\.π― Impact: Arbitrary file write/overwrite and read outside of the intended app directories.
π§ Fix:
isSafePathComponenthelper method inAbstractDiskBasedService.javato block unsafe inputs.UploadIdinputs inAbstractDiskBasedService.getPathInStorageDirectory.checksumvalues inDiskStorageServicefunctions (getUploadInfoByChecksum,update,terminateUpload) prior to attempting filesystem operations.testUnsafeChecksumValue,testGetUploadInfoByChecksumUnsafe,testPathTraversalUploadIdEncoded) to enforce validation.β Verification: Ran unit tests to ensure safe path operations complete and path traversal attempts raise expected exceptions (
IOException,IllegalArgumentException). Code formatting passes checkstyle.PR created automatically by Jules for task 10565677734019531756 started by @tomdesair