Skip to content

fix(storage): reject object keys containing path traversal (#683)#697

Open
jackthepunished wants to merge 1 commit into
poyrazK:mainfrom
jackthepunished:fix/storage-path-traversal-683
Open

fix(storage): reject object keys containing path traversal (#683)#697
jackthepunished wants to merge 1 commit into
poyrazK:mainfrom
jackthepunished:fix/storage-path-traversal-683

Conversation

@jackthepunished

@jackthepunished jackthepunished commented May 25, 2026

Copy link
Copy Markdown
Contributor

Adds validateObjectKey and calls it from getBucketAndKeyRequired so every storage handler (Upload, Download, Delete, multipart, presigned, list versions) rejects keys containing .. segments or NUL bytes before the key reaches the backend.

Closes #683.

@jackthepunished
fix(storage): reject object keys containing path traversal (poyrazK#683)
d73cd6d 
Adds validateObjectKey and calls it from getBucketAndKeyRequired so every
storage handler (Upload, Download, Delete, multipart, presigned, list
versions) rejects keys containing `..` segments or NUL bytes before the
key reaches the backend.

Closes poyrazK#683.
Copilot AI review requested due to automatic review settings May 25, 2026 03:08
@coderabbitai

coderabbitai Bot commented May 25, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@jackthepunished, we couldn't start this review because you've used your available PR reviews for now.

Your plan includes 1 review of capacity. Refill in 59 minutes and 2 seconds.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more review capacity refills, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than trial, open-source, and free plans. In all cases, review capacity refills continuously over time.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: dd3eaf77-e941-4af8-b047-b8c7a16d9721

📥 Commits

Reviewing files that changed from the base of the PR and between e0f151b and d73cd6d.

📒 Files selected for processing (2)
  • internal/handlers/helper.go
  • internal/handlers/helper_test.go
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI reviewed May 25, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds validation for object keys to prevent unsafe keys from reaching the storage backend, along with regression tests for path traversal handling.

Changes:

  • Added validateObjectKey and integrated it into getBucketAndKeyRequired.
  • Added handler tests to ensure path traversal-like keys are rejected and nested keys are accepted.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
internal/handlers/helper.go Adds object-key validation and calls it before returning bucket/key.
internal/handlers/helper_test.go Adds regression tests for rejecting traversal keys and allowing nested keys.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread internal/handlers/helper.go
Comment on lines +73 to +90
func validateObjectKey(key string) error {
if strings.ContainsRune(key, 0x00) {
return errors.New(errors.InvalidInput, "invalid characters in key")
}

for _, seg := range strings.Split(key, "/") {
if seg == ".." {
return errors.New(errors.InvalidInput, "path traversal in key")
}
}

// Reject keys whose canonical form would be just the root or empty.
cleaned := path.Clean("/" + strings.TrimPrefix(key, "/"))
if cleaned == "/" {
return errors.New(errors.InvalidInput, "invalid key")
}
return nil
}
Comment thread internal/handlers/helper.go
Comment on lines +67 to +72
// validateObjectKey rejects object keys that could be used for path traversal,
// contain control characters, or would otherwise be unsafe when used as a
// backend object name. Any `..` segment in the raw key is rejected (we do
// not silently collapse it, because the user request explicitly tried to
// reference a parent directory). NUL bytes are rejected outright because
// they can truncate strings in some backends.
Comment thread internal/handlers/helper_test.go
Comment on lines +126 to +139
t.Run("rejects path traversal", func(t *testing.T) {
badKeys := []string{"../foo", "a/../b", "../../etc/passwd", "..\x00", "/../escape"}
for _, k := range badKeys {
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
c.Params = []gin.Param{
{Key: "bucket", Value: testBucket},
{Key: "key", Value: k},
}
_, _, ok := getBucketAndKeyRequired(c)
assert.Falsef(t, ok, "expected key %q to be rejected", k)
assert.Equal(t, http.StatusBadRequest, w.Code)
}
})
@github-actions github-actions Bot added area/handlers bug Something isn't working size/xs labels May 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

area/handlers bug Something isn't working size/xs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CRITICAL: Path traversal in storage handler - no key sanitization

2 participants

@jackthepunished