这是indexloc提供的服务,不要输入任何密码
Skip to content

Revert: Implement path containment to prevent traversal attacks #2654 #2669

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Revert: Implement path containment to prevent traversal attacks #2654 #2669

wants to merge 1 commit into from

Conversation

@thiyaguk09
Copy link
Contributor

@thiyaguk09 thiyaguk09 commented Oct 29, 2025

Description

This PR reverts the updates made in PR #2654 fix: Implement path containment to prevent traversal attacks.

The original fix aimed to patch a potential path traversal vulnerability in the download functionality. However, subsequent testing revealed that the implementation introduced unintended regressions in the following areas:

File Naming/Structure: It caused legitimate download paths to be incorrectly sanitized or blocked (e.g., when using specific relative paths or symbolic links).

This revert is necessary to restore stability and correct behavior to the download API immediately. A safer, more robust solution to address the path traversal vulnerability will be developed and implemented in a subsequent PR.x.

Impact

The impact of this revert is:

  • Stability Restored: The regressions caused by the original fix are eliminated, restoring correct download behavior for existing users.
  • Vulnerability Reintroduced: The original, underlying path traversal vulnerability that the branch attempted to fix is temporarily reintroduced.
  • No Breaking Changes: There are no breaking changes to the public API contract.

Testing

  • Tests Changed: No new tests were added in this PR. This commit simply reverts the code changes and test additions/modifications from the original fix.
  • The original failing scenarios (before the path traversal fix was introduced) have been re-verified to ensure that stability is restored.
  • No breaking changes are necessary.

Additional Information

This revert is an emergency measure. A higher-priority ticket has been created to implement a more thoroughly tested and less intrusive solution for path traversal protection, which will be submitted as soon as possible. We are prioritizing immediate functional correctness over the security fix in the short term.

Checklist

  • Make sure to open an issue as a bug/issue before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea
  • Ensure the tests and linter pass
  • Code coverage does not decrease
  • Appropriate docs were updated
  • Appropriate comments were added, particularly in complex areas or places that require background
  • No new warnings or issues will be generated from this change

Fixes #2660

@product-auto-label product-auto-label bot added size: m Pull request size is medium. api: storage Issues related to the googleapis/nodejs-storage API. labels Oct 29, 2025
@thiyaguk09 thiyaguk09 marked this pull request as ready for review October 29, 2025 08:27
@thiyaguk09 thiyaguk09 requested review from a team as code owners October 29, 2025 08:27
@ddelgrosso1 ddelgrosso1 added the owlbot:run Add this label to trigger the Owlbot post processor. label Oct 29, 2025
@gcf-owl-bot gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Oct 29, 2025
@ddelgrosso1
Copy link
Contributor

ddelgrosso1 commented Oct 29, 2025

Was this created manually? If so, can you close and re-open as a proper revert from the original PR.

@thiyaguk09
Copy link
Contributor Author

thiyaguk09 commented Oct 30, 2025

This was closed as a manual PR and has been re-opened from the original PR.

@thiyaguk09 thiyaguk09 closed this Oct 30, 2025
@thiyaguk09 thiyaguk09 deleted the revert/fix-download-path-traversal branch October 30, 2025 06:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

api: storage Issues related to the googleapis/nodejs-storage API. size: m Pull request size is medium.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

downloadManyFiles can't write to tempdir outside of cwd

3 participants

@thiyaguk09 @ddelgrosso1