Core - FolderSchemeHandlerFactory improve path check to prevent break out

- Prevent accessing resources outside of the root path specified.
- Add Test to verify

Author: amaitland

CefSharp.Test/SchemeHandler/FolderSchemeHandlerFactoryTests.cs

@@ -1,10 +1,11 @@
-using Xunit.Abstractions;
-using Xunit;
+using System;
+using System.IO;
 using System.Threading.Tasks;
-using CefSharp.OffScreen;
 using CefSharp.Example;
+using CefSharp.OffScreen;
 using CefSharp.SchemeHandler;
-using System.IO;
+using Xunit;
+using Xunit.Abstractions;
 
 namespace CefSharp.Test.SchemeHandler
 {
@@ -56,6 +57,64 @@ public async Task ShouldWork()
             }
         }
 
+        [Fact]
+        public async Task ShouldPreventPathTraversalAttack()
+        {
+            const string hostUrl = "https://folderschemehandlerfactory.test/";
+
+            // 1. Setup temporary directory structure
+            var tempParent = Path.Combine(Path.GetTempPath(), "CefSharpShouldPreventPathTraversalAttack-" + Guid.NewGuid());
+            var root = Path.Combine(tempParent, "www");
+            var sibling = Path.Combine(tempParent, "www2");
+
+            try
+            {
+                Directory.CreateDirectory(root);
+                Directory.CreateDirectory(sibling);
+
+                File.WriteAllText(Path.Combine(root, "index.html"), "root-index");
+                File.WriteAllText(Path.Combine(sibling, "secret.txt"), "sibling-secret");
+
+                // 2. Initialize the CefSharp context and browser instances
+                using (var requestContext = new RequestContext(Cef.GetGlobalRequestContext()))
+                using (var browser = new ChromiumWebBrowser(CefExample.DefaultUrl, requestContext: requestContext, useLegacyRenderHandler: false))
+                {
+                    _ = await browser.WaitForInitialLoadAsync();
+
+                    // Register factory targeting our custom root directory
+                    requestContext.RegisterSchemeHandlerFactory(
+                        "https",
+                        "folderschemehandlerfactory.test",
+                        new FolderSchemeHandlerFactory(root, defaultPage: "index.html"));
+
+                    // 3. Attempt to break out of 'www' using an escaped path traversal sequence
+                    var traversalUrl = hostUrl + "..%2fwww2/secret.txt";
+                    var response = await browser.LoadUrlAsync(traversalUrl);
+
+                    var mainFrame = browser.GetMainFrame();
+                    Assert.True(mainFrame.IsValid);
+
+                    // 4. Security Assertions: The factory should sanitize the path and return a 404.
+                    // If the code is secure, HttpStatusCode should be 404 (NotFound).
+                    Assert.Equal(404, response.HttpStatusCode);
+
+                    // Fetch DOM contents to double-check that the file contents leaked nowhere
+                    var jsResponse = await browser.EvaluateScriptAsync("document.documentElement.innerText");
+                    var bodyText = jsResponse.Result?.ToString() ?? string.Empty;
+
+                    Assert.DoesNotContain("sibling-secret", bodyText);
+                }
+            }
+            finally
+            {
+                // 5. Clean up temporary directories and files safely
+                if (Directory.Exists(tempParent))
+                {
+                    Directory.Delete(tempParent, recursive: true);
+                }
+            }
+        }
+
         [Fact]
         public async Task ShouldAllowFileDeletionAfterLoading()
         {

CefSharp/SchemeHandler/FolderSchemeHandlerFactory.cs

@@ -50,6 +50,8 @@ public FolderSchemeHandlerFactory(string rootFolder, string schemeName = null, s
             {
                 throw new DirectoryNotFoundException(this.rootFolder);
             }
+
+            this.rootFolder = this.rootFolder.TrimEnd(Path.DirectorySeparatorChar, Path.AltDirectorySeparatorChar) + Path.DirectorySeparatorChar;
         }
 
         /// <summary>
@@ -102,14 +104,22 @@ protected virtual IResourceHandler Create(IBrowser browser, IFrame frame, string
             }
 
             //Get the absolute path and remove the leading slash
-            var asbolutePath = uri.AbsolutePath.Substring(1);
+            var absolutePath = uri.AbsolutePath.Substring(1);
+
+            if (string.IsNullOrEmpty(absolutePath))
+            {
+                absolutePath = defaultPage;
+            }
+
+            var decodedPath = WebUtility.UrlDecode(absolutePath);
 
-            if (string.IsNullOrEmpty(asbolutePath))
+            // Block null bytes and NTFS Alternate Data Streams (:)
+            if (decodedPath.Contains("\0") || decodedPath.Contains(":"))
             {
-                asbolutePath = defaultPage;
+                return ResourceHandler.ForErrorMessage($"File Not Found - {absolutePath}", HttpStatusCode.NotFound);
             }
 
-            var filePath = Path.GetFullPath(Path.Combine(rootFolder, WebUtility.UrlDecode(asbolutePath)));
+            var filePath = Path.GetFullPath(Path.Combine(rootFolder, decodedPath));
 
             //Check the file requested is within the specified path and that the file exists
             if (filePath.StartsWith(rootFolder, StringComparison.OrdinalIgnoreCase) && File.Exists(filePath))
@@ -120,7 +130,7 @@ protected virtual IResourceHandler Create(IBrowser browser, IFrame frame, string
                 return ResourceHandler.FromStream(stream, mimeType, autoDisposeStream: true);
             }
 
-            return ResourceHandler.ForErrorMessage("File Not Found - " + filePath, HttpStatusCode.NotFound);
+            return ResourceHandler.ForErrorMessage($"File Not Found - {absolutePath}", HttpStatusCode.NotFound);
         }
     }
 }