decentraland / catalyst-storage / 27281661377

95%

push

github

fix: harden folder storage path containment against prefix confusion (#102)

The containment check used `finalPath.startsWith(directoryPath)` with no
trailing separator, so a sibling directory sharing the prefix passed it —
e.g. "/data/contents-evil".startsWith("/data/contents") is true. With
disablePrefixHash an id like "../<root>-evil/x" could therefore escape the
storage root for read/write/delete.

Compare against `directoryPath + path.sep` (allowing the directory itself)
so sibling-prefix paths are rejected. Adds traversal tests.

Also document that the gzip-derived FileInfo.contentSize comes from the
attacker-controllable gzip trailer and must not be trusted for allocation
or size limits.

106 of 119 branches covered (89.08%)

Branch coverage included in aggregate %.

1 of 1 new or added line in 1 file covered. (100.0%)

367 of 374 relevant lines covered (98.13%)

34.67 hits per line