fix: path traversal with relaxed key in file backend

ferhatelmas · ferhatelmas · commit b374168c56f1 · 2026-03-10T10:02:59.000+01:00
Signed-off-by: ferhat elmas &lt;elmas.ferhat@gmail.com&gt;
diff --git a/src/storage/backend/file.ts b/src/storage/backend/file.ts
@@ -342,18 +342,17 @@ export class FileBackend implements StorageBackendAdapter {
     cacheControl: string
   ): Promise<string | undefined> {
     const uploadId = randomUUID()
-    const multiPartFolder = this.resolveSecurePath(
-      path.join('multiparts', uploadId, bucketName, withOptionalVersion(key, version))
-    )
-    const multipartFile = this.resolveSecurePath(
-      path.join(
-        'multiparts',
-        uploadId,
-        bucketName,
-        withOptionalVersion(key, version),
-        'metadata.json'
-      )
-    )
+    const multiPartFolder = this.resolveSecureMultipartPath(uploadId, {
+      bucketName,
+      key,
+      version,
+    })
+    const multipartFile = this.resolveSecureMultipartPath(uploadId, {
+      bucketName,
+      key,
+      version,
+      suffix: 'metadata.json',
+    })
     await fsExtra.ensureDir(multiPartFolder)
     await fsExtra.writeFile(multipartFile, JSON.stringify({ contentType, cacheControl }))
 
@@ -368,15 +367,12 @@ export class FileBackend implements StorageBackendAdapter {
     partNumber: number,
     body: stream.Readable
   ): Promise<{ ETag?: string }> {
-    const partPath = this.resolveSecurePath(
-      path.join(
-        'multiparts',
-        uploadId,
-        bucketName,
-        withOptionalVersion(key, version),
-        `part-${partNumber}`
-      )
-    )
+    const partPath = this.resolveSecureMultipartPath(uploadId, {
+      bucketName,
+      key,
+      version,
+      suffix: `part-${partNumber}`,
+    })
 
     const writeStream = fsExtra.createWriteStream(partPath)
 
@@ -404,15 +400,12 @@ export class FileBackend implements StorageBackendAdapter {
     }
   > {
     const partsByEtags = parts.map(async (part) => {
-      const partFilePath = this.resolveSecurePath(
-        path.join(
-          'multiparts',
-          uploadId,
-          bucketName,
-          withOptionalVersion(key, version),
-          `part-${part.PartNumber}`
-        )
-      )
+      const partFilePath = this.resolveSecureMultipartPath(uploadId, {
+        bucketName,
+        key,
+        version,
+        suffix: `part-${part.PartNumber}`,
+      })
       const partExists = await fsExtra.pathExists(partFilePath)
 
       if (partExists) {
@@ -432,15 +425,12 @@ export class FileBackend implements StorageBackendAdapter {
 
     const multipartStream = this.mergePartStreams(finalParts)
     const metadataContent = await fsExtra.readFile(
-      this.resolveSecurePath(
-        path.join(
-          'multiparts',
-          uploadId,
-          bucketName,
-          withOptionalVersion(key, version),
-          'metadata.json'
-        )
-      ),
+      this.resolveSecureMultipartPath(uploadId, {
+        bucketName,
+        key,
+        version,
+        suffix: 'metadata.json',
+      }),
       'utf-8'
     )
 
@@ -455,7 +445,7 @@ export class FileBackend implements StorageBackendAdapter {
       metadata.cacheControl
     )
 
-    fsExtra.remove(this.resolveSecurePath(path.join('multiparts', uploadId))).catch(() => {
+    fsExtra.remove(this.resolveSecureMultipartPath(uploadId)).catch(() => {
       // no-op
     })
 
@@ -473,7 +463,7 @@ export class FileBackend implements StorageBackendAdapter {
     uploadId: string,
     version?: string
   ): Promise<void> {
-    const multiPartFolder = this.resolveSecurePath(path.join('multiparts', uploadId))
+    const multiPartFolder = this.resolveSecureMultipartPath(uploadId)
 
     await fsExtra.remove(multiPartFolder)
 
@@ -495,15 +485,12 @@ export class FileBackend implements StorageBackendAdapter {
     sourceVersion?: string,
     rangeBytes?: { fromByte: number; toByte: number }
   ): Promise<{ eTag?: string; lastModified?: Date }> {
-    const partFilePath = this.resolveSecurePath(
-      path.join(
-        'multiparts',
-        UploadId,
-        storageS3Bucket,
-        withOptionalVersion(key, version),
-        `part-${PartNumber}`
-      )
-    )
+    const partFilePath = this.resolveSecureMultipartPath(UploadId, {
+      bucketName: storageS3Bucket,
+      key,
+      version,
+      suffix: `part-${PartNumber}`,
+    })
     const sourceFilePath = this.resolveSecurePath(
       `${storageS3Bucket}/${withOptionalVersion(sourceKey, sourceVersion)}`
     )
@@ -692,6 +679,34 @@ export class FileBackend implements StorageBackendAdapter {
     return normalizedPath
   }
 
+  private resolveSecureMultipartPath(
+    uploadId: string,
+    options?: {
+      bucketName?: string
+      key?: string
+      version?: string
+      suffix?: string
+    }
+  ): string {
+    // Intentionally avoid path.join for attacker-controlled segments so dot segments remain visible
+    // to resolveSecurePath instead of being normalized away beforehand.
+    let relativePath = `multiparts/${uploadId}`
+
+    if (typeof options?.bucketName === 'string') {
+      relativePath += `/${options.bucketName}`
+    }
+
+    if (typeof options?.key === 'string') {
+      relativePath += `/${withOptionalVersion(options.key, options.version)}`
+    }
+
+    if (typeof options?.suffix === 'string') {
+      relativePath += `/${options.suffix}`
+    }
+
+    return this.resolveSecurePath(relativePath)
+  }
+
   private async etag(file: string, stats: fs.Stats): Promise<string> {
     if (this.etagAlgorithm === 'md5') {
       const checksum = await this.computeMd5(file)
diff --git a/src/test/file-backend.test.ts b/src/test/file-backend.test.ts
@@ -314,6 +314,22 @@ describe('FileBackend traversal protection', () => {
     })
   })
 
+  it('rejects multipart keys that only rebase within the storage root', async () => {
+    const traversalKey = '../multipart-rebased.txt'
+
+    await expect(
+      backend.createMultiPartUpload('bucket', traversalKey, 'v1', 'text/plain', 'no-cache')
+    ).rejects.toMatchObject({
+      code: 'InvalidKey',
+    })
+
+    await expect(
+      backend.uploadPart('bucket', traversalKey, 'v1', 'upload-id', 1, Readable.from('escape-part'))
+    ).rejects.toMatchObject({
+      code: 'InvalidKey',
+    })
+  })
+
   it('rejects traversal key in object operations with InvalidKey', async () => {
     const traversalKey = `${'../'.repeat(20)}tmp/${escapePrefix}/object-escape.txt`
 
@@ -408,6 +424,14 @@ describe('FileBackend traversal protection', () => {
       code: 'InvalidKey',
     })
   })
+
+  it('rejects multipart upload ids that would be normalized to sibling in-root paths', async () => {
+    await expect(
+      backend.abortMultipartUpload('bucket', 'key', '../upload-id')
+    ).rejects.toMatchObject({
+      code: 'InvalidKey',
+    })
+  })
 })
 
 describe('FileBackend lastModified', () => {
