这是indexloc提供的服务,不要输入任何密码
Skip to content

Revert "fix: Implement path containment to prevent traversal attacks" #2674

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 30, 2025
Merged

Revert "fix: Implement path containment to prevent traversal attacks" #2674

merged 1 commit into from
Oct 30, 2025

Conversation

@thiyaguk09
Copy link
Contributor

@thiyaguk09 thiyaguk09 commented Oct 30, 2025
edited by ddelgrosso1
Loading

Description

This PR reverts the updates made in PR #2654 fix: Implement path containment to prevent traversal attacks.

The original fix aimed to patch a potential path traversal vulnerability in the download functionality. However, subsequent testing revealed that the implementation introduced unintended regressions in the following areas:

File Naming/Structure: It caused legitimate download paths to be incorrectly sanitized or blocked (e.g., when using specific relative paths or symbolic links).

This revert is necessary to restore stability and correct behavior to the download API immediately. A safer, more robust solution to address the path traversal vulnerability will be developed and implemented in a subsequent PR.x.

Impact

The impact of this revert is:

  • Stability Restored: The regressions caused by the original fix are eliminated, restoring correct download behavior for existing users.
  • Vulnerability Reintroduced: The original, underlying path traversal vulnerability that the branch attempted to fix is temporarily reintroduced.
  • No Breaking Changes: There are no breaking changes to the public API contract.

Testing

  • Tests Changed: No new tests were added in this PR. This commit simply reverts the code changes and test additions/modifications from the original fix.
  • The original failing scenarios (before the path traversal fix was introduced) have been re-verified to ensure that stability is restored.
  • No breaking changes are necessary.

Additional Information

This revert is an emergency measure. A higher-priority ticket has been created to implement a more thoroughly tested and less intrusive solution for path traversal protection, which will be submitted as soon as possible. We are prioritizing immediate functional correctness over the security fix in the short term.

Checklist

  • Make sure to open an issue as a bug/issue before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea
  • Ensure the tests and linter pass
  • Code coverage does not decrease
  • Appropriate docs were updated
  • Appropriate comments were added, particularly in complex areas or places that require background
  • No new warnings or issues will be generated from this change

Fixes #2660

BEGIN_COMMIT_OVERRIDE
fix: revert implement path containment to prevent traversal attacks
END_COMMIT_OVERRIDE

@thiyaguk09 thiyaguk09 requested review from a team as code owners October 30, 2025 06:30
@product-auto-label product-auto-label bot added size: m Pull request size is medium. api: storage Issues related to the googleapis/nodejs-storage API. labels Oct 30, 2025
@eliekozah eliekozah self-requested a review October 30, 2025 14:55
@ddelgrosso1 ddelgrosso1 merged commit 254b6b2 into main Oct 30, 2025
19 checks passed
@ddelgrosso1 ddelgrosso1 deleted the revert-2654-fix/download-path-traversal branch October 30, 2025 14:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ddelgrosso1 ddelgrosso1 ddelgrosso1 approved these changes

@eliekozah eliekozah eliekozah approved these changes

Assignees

No one assigned

Labels

api: storage Issues related to the googleapis/nodejs-storage API. size: m Pull request size is medium.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

downloadManyFiles can't write to tempdir outside of cwd

4 participants

@thiyaguk09 @ddelgrosso1 @eliekozah