26696628394
89%

Ran 30 May 2026 10:32PM UTC

Jobs 5

Files 103

Run time 1min

Badge

Embed ▾

Committed 30 May 2026 10:29PM UTC coverage: 88.889% (-0.03%) from 88.917%

Build # 26696628394

Build Type

push

github

Committed by

marcelometal

Commit Message

fix(file_loader): enforce root boundaries after decoding paths

Decode percent-encoded paths before root-boundary validation to block
%2e%2e traversal through filters such as watermark and frame.

Replace the startswith() guard with os.path.commonpath() so sibling prefixes
outside FILE_LOADER_ROOT_PATH are not accepted.

Preserve compatibility for literal percent-encoded filenames by trying the
raw path only after a repeated root-boundary check. Add tests for encoded
traversal, mixed traversal, sibling-prefix escape, and normal file loading.

Coverage Stats

10 of 12 new or added lines in 1 file covered. (83.33%)

3912 of 4401 relevant lines covered (88.89%)

4.44 hits per line

Uncovered Changes

Lines	Coverage	∆	File
2	93.75	-6.25%	thumbor/loaders/file_loader.py

Jobs

ID	Job ID	Ran	Files	Coverage
1	run-3.10 - 26696628394.1	30 May 2026 10:32PM UTC	103	88.89	GitHub Action Run
2	run-3.11 - 26696628394.2	30 May 2026 10:32PM UTC	103	88.89	GitHub Action Run
3	run-3.13 - 26696628394.3	30 May 2026 10:32PM UTC	103	88.89	GitHub Action Run
4	run-3.14 - 26696628394.4	30 May 2026 10:32PM UTC	103	88.89	GitHub Action Run
5	run-3.12 - 26696628394.5	30 May 2026 10:32PM UTC	103	88.89	GitHub Action Run

thumbor / thumbor / 26696628394
89%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Uncovered Changes

Jobs

Source Files on build 26696628394

thumbor / thumbor / 26696628394 89%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Uncovered Changes

Jobs

Source Files on build 26696628394

thumbor / thumbor / 26696628394
89%

README BADGES
x