Skip to content

fix: validate resolved path in createFolder to prevent traversal via folder name#88

Merged
DenizAltunkapan merged 1 commit into
Vault-Web:mainfrom
GabrielBBaldez:fix/createfolder-path-traversal
Jun 26, 2026
Merged

fix: validate resolved path in createFolder to prevent traversal via folder name#88
DenizAltunkapan merged 1 commit into
Vault-Web:mainfrom
GabrielBBaldez:fix/createfolder-path-traversal

Conversation

@GabrielBBaldez

Copy link
Copy Markdown
Contributor

What

FolderService.createFolder validated the parent path but not the resolved target, so a folder name containing .. escaped the user's root. Every other method in the service — delete, rename, getFolderTree — normalizes and re-validates the final path; createFolder was the only one that didn't. Same class of bug as #77 (which fixed it for upload); folder creation was missed.

  • createFolder(root, "", "../../hack") created a directory outside the user's root.
  • createFolder(root, "../../", "hack") was already blocked (the parent argument is validated); only the name vector was affected.

Fix

Normalize the resolved path and run it through the existing validatePath guard before Files.createDirectory, matching the other methods. Traversal attempts now surface as InvalidPathException400 via the existing GlobalExceptionHandler.

Test

Added createFolder_pathTraversalViaName_throwsInvalidPathException for the name vector — the existing traversal test only exercised the parent-path parameter. All 55 FolderServiceTest tests pass; spotless clean.

Fixes #87

…folder name

createFolder validated the parent path but not the resolved target, so a folder name containing '..' escaped the user's root - the same gap Vault-Web#77 fixed for upload. Normalize the resolved path and run it through the existing validatePath guard before Files.createDirectory, matching delete/rename/getFolderTree. Add a regression test for the name vector.
Copilot AI review requested due to automatic review settings June 26, 2026 14:05

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@DenizAltunkapan DenizAltunkapan merged commit f1297a9 into Vault-Web:main Jun 26, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Bug]: Path traversal on folder creation (name not validated)

3 participants