release(v3.19.0): folder creation hardening

- security(folder): reject traversal segments before directory creation

Author: error311

CHANGELOG.md

@@ -1,5 +1,26 @@
 # Changelog
 
+## Changes 06/26/2026 (v3.19.0)
+
+`release(v3.19.0): folder creation hardening`
+
+**Commit message**
+
+```text
+release(v3.19.0): folder creation hardening
+
+- security(folder): reject traversal segments before directory creation
+```
+
+**Fixed**
+
+- **Folder creation hardening**
+  - Folder creation now rejects `.` and `..` path segments before creating directories.
+  - Local folder creation now verifies the parent path stays inside the configured upload root before directory creation.
+  - Existing valid child-folder and root-relative nested folder creation behavior is preserved.
+
+---
+
 ## Changes 06/23/2026 (v3.18.0)
 
 `release(v3.18.0): file operation hardening`

src/FileRise/Domain/FolderModel.php

@@ -607,6 +607,33 @@ private static function isSafeSegment(string $name): bool
         $len = mb_strlen($name);
         return $len > 0 && $len <= 255;
     }
+
+    private static function isValidFolderSegment(string $name): bool
+    {
+        return self::isSafeSegment($name) && preg_match(REGEX_FOLDER_NAME, $name) === 1;
+    }
+
+    private static function splitFolderSegments(string $folder, bool $allowRoot = true): ?array
+    {
+        $normalized = ACL::normalizeFolder($folder);
+        if ($normalized === 'root') {
+            return $allowRoot ? [] : null;
+        }
+
+        $parts = explode('/', $normalized);
+        if ($parts === [] || in_array('', $parts, true)) {
+            return null;
+        }
+
+        foreach ($parts as $seg) {
+            if (!self::isValidFolderSegment($seg)) {
+                return null;
+            }
+        }
+
+        return $parts;
+    }
+
     private static function safeReal(string $baseReal, string $p): ?string
     {
         $rp = realpath($p);
@@ -1094,16 +1121,10 @@ private static function resolveFolderPath(string $folder, bool $create = false):
         if (strtolower($folder) === 'root') {
             $dir = $base;
         } else {
-            // validate each segment against REGEX_FOLDER_NAME
-            $parts = array_filter(explode('/', trim($folder, "/\\ ")), fn($p) => $p !== '');
-            if (empty($parts)) {
+            $parts = self::splitFolderSegments($folder);
+            if ($parts === null || $parts === []) {
                 return [null, 'root', "Invalid folder name."];
             }
-            foreach ($parts as $seg) {
-                if (!preg_match(REGEX_FOLDER_NAME, $seg)) {
-                    return [null, 'root', "Invalid folder name."];
-                }
-            }
             $relative = implode('/', $parts);
             $dir      = $base . DIRECTORY_SEPARATOR . implode(DIRECTORY_SEPARATOR, $parts);
         }
@@ -1145,15 +1166,10 @@ private static function resolveFolderPathForAdapter(StorageAdapterInterface $sto
         if (strtolower($folder) === 'root') {
             $dir = $base;
         } else {
-            $parts = array_filter(explode('/', trim($folder, "/\\ ")), fn($p) => $p !== '');
-            if (empty($parts)) {
+            $parts = self::splitFolderSegments($folder);
+            if ($parts === null || $parts === []) {
                 return [null, 'root', "Invalid folder name."];
             }
-            foreach ($parts as $seg) {
-                if (!preg_match(REGEX_FOLDER_NAME, $seg)) {
-                    return [null, 'root', "Invalid folder name."];
-                }
-            }
             $relative = implode('/', $parts);
             $dir      = $base . DIRECTORY_SEPARATOR . implode(DIRECTORY_SEPARATOR, $parts);
         }
@@ -1533,14 +1549,25 @@ public static function createFolder(string $folderName, string $parent, string $
             return ['success' => false, 'error' => 'Folder name required'];
         }
 
+        $parentParts = self::splitFolderSegments($parent);
+        if ($parentParts === null) {
+            return ['success' => false, 'error' => 'Invalid parent folder name'];
+        }
+        $folderParts = self::splitFolderSegments($folderName, false);
+        if ($folderParts === null || count($folderParts) !== 1) {
+            return ['success' => false, 'error' => 'Invalid folder name'];
+        }
+
+        $parent = $parentParts === [] ? 'root' : implode('/', $parentParts);
+        $folderName = $folderParts[0];
+
         // ACL key for new folder
         $newKey = ($parent === 'root') ? $folderName : ($parent . '/' . $folderName);
 
         // -------- Compose filesystem paths --------
         $base = rtrim(self::uploadRoot(), "/\\");
         $parentRel = ($parent === 'root') ? '' : str_replace('/', DIRECTORY_SEPARATOR, $parent);
         $parentAbs = $parentRel ? ($base . DIRECTORY_SEPARATOR . $parentRel) : $base;
-        $newAbs = $parentAbs . DIRECTORY_SEPARATOR . $folderName;
         $storage = self::storage();
         $isLocal = $storage->isLocal();
 
@@ -1552,6 +1579,21 @@ public static function createFolder(string $folderName, string $parent, string $
         if (!$parentExists) {
             return ['success' => false, 'error' => 'Parent folder does not exist'];
         }
+
+        if ($isLocal) {
+            $baseReal = realpath(self::uploadRoot());
+            $parentReal = realpath($parentAbs);
+            if (
+                $baseReal === false ||
+                $parentReal === false ||
+                !self::isPathInsideOrSame($baseReal, $parentReal)
+            ) {
+                return ['success' => false, 'error' => 'Invalid folder path'];
+            }
+            $parentAbs = $parentReal;
+        }
+
+        $newAbs = $parentAbs . DIRECTORY_SEPARATOR . $folderName;
         if ($storage->stat($newAbs) !== null) {
             return ['success' => false, 'error' => 'Folder already exists'];
         }

tests/security/create_folder_path_traversal_regressions.php

@@ -0,0 +1,116 @@
+<?php
+declare(strict_types=1);
+
+$baseDir = dirname(__DIR__, 2);
+$tmpBase = $baseDir . '/tests/.tmp_create_folder_traversal_' . bin2hex(random_bytes(4));
+$uploadDir = $tmpBase . '/uploads/';
+$usersDir = $tmpBase . '/users/';
+$metaDir = $tmpBase . '/metadata/';
+$sessionDir = $tmpBase . '/sessions/';
+
+function createFolderTraversalFailIf(bool $cond, string $message, array &$errors): void
+{
+    if ($cond) {
+        $errors[] = $message;
+    }
+}
+
+function createFolderTraversalRmTree(string $dir): void
+{
+    if (!file_exists($dir) && !is_link($dir)) {
+        return;
+    }
+    if (is_link($dir) || is_file($dir)) {
+        @unlink($dir);
+        return;
+    }
+    $items = scandir($dir);
+    if ($items === false) {
+        return;
+    }
+    foreach ($items as $item) {
+        if ($item === '.' || $item === '..') {
+            continue;
+        }
+        createFolderTraversalRmTree($dir . DIRECTORY_SEPARATOR . $item);
+    }
+    @rmdir($dir);
+}
+
+@mkdir($uploadDir . 'bob', 0775, true);
+@mkdir($usersDir, 0700, true);
+@mkdir($metaDir, 0775, true);
+@mkdir($sessionDir, 0700, true);
+session_save_path($sessionDir);
+
+putenv('FR_TEST_UPLOAD_DIR=' . $uploadDir);
+putenv('FR_TEST_USERS_DIR=' . $usersDir);
+putenv('FR_TEST_META_DIR=' . $metaDir);
+putenv('PERSISTENT_TOKENS_KEY=test_persistent_tokens_key_32bytes!');
+
+require_once $baseDir . '/config/config.php';
+require_once $baseDir . '/src/FileRise/Domain/FolderModel.php';
+
+$errors = [];
+$escapedPath = $tmpBase . '/escape';
+
+try {
+    $escapeResult = \FileRise\Domain\FolderModel::createFolder('../../escape', 'bob', 'bob');
+    createFolderTraversalFailIf(
+        !empty($escapeResult['success']),
+        'createFolder: traversal folderName should be rejected',
+        $errors
+    );
+    createFolderTraversalFailIf(
+        is_dir($escapedPath),
+        'createFolder: traversal folderName created directory outside upload root',
+        $errors
+    );
+
+    $dotDotResult = \FileRise\Domain\FolderModel::createFolder('..', 'bob', 'bob');
+    createFolderTraversalFailIf(
+        !empty($dotDotResult['success']),
+        'createFolder: dot-dot leaf name should be rejected',
+        $errors
+    );
+
+    $badParentResult = \FileRise\Domain\FolderModel::createFolder('child', 'bob/..', 'bob');
+    createFolderTraversalFailIf(
+        !empty($badParentResult['success']),
+        'createFolder: traversal parent should be rejected',
+        $errors
+    );
+
+    $safeResult = \FileRise\Domain\FolderModel::createFolder('safe', 'bob', 'bob');
+    createFolderTraversalFailIf(
+        empty($safeResult['success']),
+        'createFolder: valid child folder should succeed',
+        $errors
+    );
+    createFolderTraversalFailIf(
+        !is_dir($uploadDir . 'bob/safe'),
+        'createFolder: valid child folder was not created',
+        $errors
+    );
+
+    $nestedResult = \FileRise\Domain\FolderModel::createFolder('bob/nested', 'root', 'bob');
+    createFolderTraversalFailIf(
+        empty($nestedResult['success']),
+        'createFolder: root-relative nested folder behavior should be preserved',
+        $errors
+    );
+    createFolderTraversalFailIf(
+        !is_dir($uploadDir . 'bob/nested'),
+        'createFolder: root-relative nested folder was not created',
+        $errors
+    );
+} finally {
+    createFolderTraversalRmTree($tmpBase);
+}
+
+if ($errors) {
+    fwrite(STDERR, "Create-folder path traversal regression failures:\n- " . implode("\n- ", $errors) . "\n");
+    exit(1);
+}
+
+echo "Create-folder path traversal regressions passed\n";