Prevent URL path traversal bypass via percent encoding in UrlValidator#383
Open
sahvx655-wq wants to merge 1 commit into
Open
Prevent URL path traversal bypass via percent encoding in UrlValidator#383sahvx655-wq wants to merge 1 commit into
sahvx655-wq wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes a path validation bypass in
UrlValidatorwhere percent-encoded path traversal sequences could evade the existing parent-directory checks performed byisValidPath(String).UrlValidatorvalidates paths by normalizing the URL path and rejecting traversal attempts such as/../.However, the validation logic operates on the raw path component. Percent-encoded traversal sequences (for example
%2e%2eand%2f) are not interpreted during normalization and therefore are not collapsed into their equivalent../path segments.As a result, inputs such as:
http://example.com/..%2fetc/passwd
http://example.com/%2e%2e/world
can bypass the existing traversal checks and be considered valid.
Decode traversal-relevant percent-encoded characters before normalization so that encoded traversal sequences are evaluated consistently with their literal equivalents.
This ensures that both literal and percent-encoded parent-directory traversal attempts are rejected by the existing validation logic.
Added regression tests covering:
..%2f..%2F%2e%2e/%2e%2e%2fThe new tests fail prior to the fix and pass after the fix.
This change closes a validation gap in
UrlValidatorand ensures that directory traversal checks cannot be bypassed using percent-encoded path separators or dot segments.