fix(storage): block path traversal in filters API on localfs#1727
fix(storage): block path traversal in filters API on localfs#1727ygndotgg wants to merge 1 commit into
Conversation
Validate filter stream names before creating or updating filters, and reject path-traversal components in LocalFS delete operations so authenticated users cannot escape the configured data directory via /api/v1/filters.
WalkthroughUser-defined filter stream names are validated during creation and modification, with invalid names returning HTTP 400. Local filesystem deletion rejects relative paths containing parent-directory components and reports a traversal error. ChangesUser filter stream validation
Local filesystem path validation
Estimated code review effort: 3 (Moderate) | ~20 minutes Suggested reviewers: Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/storage/localfs.rs`:
- Around line 431-440: Centralize native path validation by adding an
ensure_safe_path helper and updating path_in_root to return Result<PathBuf,
ObjectStorageError>, validate its resolved path there, and propagate errors at
every caller. Apply ensure_safe_path unconditionally to get_object’s final
file_path before fs::read, including the snapshot-resolution branch; update
put_object, delete_prefix, and delete_object to use the validated path and
remove delete_object’s old relative_path-only check.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: f2d028c4-a98d-4fb9-babc-92f30ef23a1b
📒 Files selected for processing (3)
src/handlers/http/users/filters.rssrc/storage/localfs.rssrc/storage/mod.rs
Fixes #XXXX.
Description
This PR fixes a path traversal issue in the Filters API that allowed an authenticated low-
privilege user to write or delete files outside the configured data directory when the local
filesystem storage backend was enabled.
The chosen fix is intentionally minimal and defensive:
stream_nameat the Filters API handler boundary before create/update operations400 Bad RequestLocalFS::delete_objectto block..traversal componentsSummary by CodeRabbit
400 Bad Requestresponse.