🔒 [security fix] Path Traversal in BrowserController and DownloadController#118
Conversation
…oller Addresses a path traversal vulnerability in the file manager where arbitrary file access was possible via the 'path' or 'file' parameters. - Implemented centralized path sanitization in `FileManagerController::cleanPath`. - Rejects any paths containing '..' to prevent directory traversal. - Updated `DownloadController` to inherit from `FileManagerController` and use the new sanitization logic. - Added explicit file existence check in `DownloadController` using the Storage facade. - Added comprehensive security tests in `PathTraversalTest.php`. Co-authored-by: juzaweb <47020363+juzaweb@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
juzaweb
deleted the
security-fix-path-traversal-browser-controller-3829253760826571357
branch
1 participant
This PR fixes a security vulnerability that allowed path traversal in the file manager's
showFileandgetDownloadendpoints.🎯 What
The
showFileandgetDownloadmethods used user-supplied paths to access files on the storage disk without sufficient sanitization. This allowed an attacker to use../sequences to access files outside the intended storage root.An attacker could potentially read sensitive system files or other users' private files if the storage disk had access to them, leading to information disclosure.
🛡️ Solution
cleanPathmethod to the baseFileManagerControllerthat:.., preventing any traversal attempts.DownloadControllerto extendFileManagerControllerand use thecleanPathlogic.DownloadController::getDownloadto verify file existence viaStorage::exists($file)before attempting to retrieve the local path, ensuring that traversal attempts that bypass string checks (if any) are caught by the filesystem driver's own security boundaries.tests/Feature/Security/PathTraversalTest.phpcovering standard traversal, nested bypass attempts (....//), and edge cases.PR created automatically by Jules for task 3829253760826571357 started by @juzaweb