fix: prevent path traversal in storage handler#689
Conversation
Reject keys containing '..' pattern to prevent path traversal attacks (e.g., '../../etc/passwd'). All handlers using this helper function are now protected. Fixes #683
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
- Check for path separators (/ and \) in addition to ".." - Prevents encoded and mixed separator bypass attempts - Add test case for path traversal rejection Fixes #683
The Gin glob pattern *key captures paths with leading /, so forward slashes in keys are normal. Revert to only checking for ".." pattern while adding clarifying comment. This fixes test failures in TestStorageHandlerUpload and other storage handler tests that use keys like "test.txt".
Summary
getBucketAndKeyRequiredhelper..pattern before reaching storage serviceFixes
Fixes #683
Test plan