Security: Fix double-encoding path traversal vulnerability

nickprotop · nickprotop · commit 6eee1c2b2ced · 2025-12-18T16:31:03.000+02:00
- Recursively decode URL-encoded paths to catch %252e%252e attacks
- Reject any remaining % characters after full decoding
- Prevents bypass of path traversal protection via encoding tricks
diff --git a/cloud/src/LrmCloud.Api/Services/MinioStorageService.cs b/cloud/src/LrmCloud.Api/Services/MinioStorageService.cs
@@ -223,7 +223,18 @@ private static string GetObjectName(int projectId, string filePath)
             throw new ArgumentException("File path cannot be empty", nameof(filePath));
         }
 
-        // Normalize path separators first (handle both Windows and Unix paths)
+        // Security: Decode URL-encoded characters to catch double-encoding attacks
+        // e.g., %252e%252e -> %2e%2e -> .. (path traversal attempt)
+        var decodedPath = Uri.UnescapeDataString(filePath);
+
+        // Keep decoding until no more changes (handles triple+ encoding)
+        while (decodedPath != filePath)
+        {
+            filePath = decodedPath;
+            decodedPath = Uri.UnescapeDataString(filePath);
+        }
+
+        // Normalize path separators (handle both Windows and Unix paths)
         filePath = filePath.Replace('\\', '/');
 
         // Remove leading slash if present
@@ -236,19 +247,24 @@ private static string GetObjectName(int projectId, string filePath)
         var segments = fullPath.Split('/', StringSplitOptions.RemoveEmptyEntries);
 
         // Security: Check for path traversal in ALL segments
-        // This catches: "..", ".", encoded variants after URL decoding, etc.
         foreach (var segment in segments)
         {
             if (segment == ".." || segment == ".")
             {
                 throw new ArgumentException("Invalid file path: path traversal not allowed", nameof(filePath));
             }
 
-            // Also check for null bytes or other suspicious characters
+            // Check for null bytes or other suspicious characters
             if (segment.Contains('\0'))
             {
                 throw new ArgumentException("Invalid file path: null bytes not allowed", nameof(filePath));
             }
+
+            // Check for URL-encoded sequences that shouldn't be in final path
+            if (segment.Contains('%'))
+            {
+                throw new ArgumentException("Invalid file path: encoded characters not allowed", nameof(filePath));
+            }
         }
 
         // Rebuild the clean path from validated segments
