supabase / storage

76%

master: 76%

LAST BUILD ON BRANCH ferhat/file-backend-path-traversal

branch: ferhat/file-backend-path-traversal

CHANGE BRANCH

x

Reset

Sync Branches

• ferhat/file-backend-path-traversal
• admin-features
• admin/reconcile-orphan-objects
• auth/crypto
• bs/tmp
• build/v1.0.1
• build/v1.13.4
• chore-review-actions
• chore/bump-axios-to-190
• chore/bump-fastify-multipart-patch-version
• chore/bump-form-data-404-and-esbuild-0250-versions
• chore/improve-folder-structure
• chore/improve-storage-errors
• chore/improvements
• chore/remove-request-info-logs
• chore/tests
• chore/update-pino-logflare
• chore/update-tests-fix-coverage
• chore/use-single-s3-client
• ci/automatic-cli-pr
• ci/fix-mirror-images
• ci/pr-target
• concurreny
• da/ssl-hostname-verification
• db/propagate-transaction-error-edge-case
• dep/axios-1.6.8
• deps/bump-axios
• deps/bump-security-1
• deps/cross-spawn-update
• docker/fix-imgproxy-path
• etienne/sec-389-buckets-with-trailing-whitespace-cannot-be-deleted-in
• exit-1
• feat/add-queue-health-check-monitor
• feat/add-support-for-sorting-to-list-v2
• feat/add-version-endpoint-to-admin-api
• feat/allow-disabling-s3-protocol
• feat/allow-disabling-specific-events-tenants
• feat/allow-overwrites-when-copy
• feat/buckets-objects-grants-for-postgres
• feat/cpabilities
• feat/custom-metadata
• feat/deprecate-service-and-anon-keys
• feat/docker-compose-example
• feat/feature-flag-freeze-migrations
• feat/gravity
• feat/handle-auth-on-top-level-routes
• feat/iceberg-catalog
• feat/list-objects-v2
• feat/multitenant-db-pool-support
• feat/pre-signed-url-with-storage-jwt-secret
• feat/prevent-direct-sql-deletes-in-storage-schema
• feat/purge-cache-for-object
• feat/rabalancing-pooling
• feat/remove-dependency-on-pg-extensions
• feat/s3-post-form
• feat/s3-protocol-custom-response-header
• feat/signed-upload-url-upsert
• feat/stale-while-revalidate
• feat/standard-upload-limits
• feat/support-x-forwarded-path
• feat/tus-signed-upload-url-support
• feat/tus-stable-v1
• feat/vector-buckets
• feature/server-timings
• ferhat/crypto-dep
• ferhat/deepwiki
• ferhat/delta
• ferhat/drop-fly
• ferhat/file-backend-last-mod
• ferhat/list-wildcards
• ferhat/move-cleanup
• ferhat/otel-tracing-endpoint-case
• ferhat/tus-dup
• files-backend-linux-etag
• fix-migrate
• fix-trigger-update-level
• fix/add-error-callback-for-logs-ingestion
• fix/add-migration-check-on-bucket-create
• fix/add-robots-header
• fix/allow-10000-parts-for-s3
• fix/allow-10000-parts-for-s3-upload
• fix/allow-connect-via-ip-address
• fix/aws-sdk-stream-buffer
• fix/base-migrations
• fix/base64-on-metadata-headers
• fix/bump-storage-version
• fix/check-for-public-bucket-on-info-request
• fix/check-local-migrations-in-has-migrations
• fix/ci-ubuntu-version
• fix/cleanup-imports
• fix/content-type-charset
• fix/copy-event
• fix/copy-object-content-type
• fix/copy-object-same-path
• fix/correct-operation-for-auth-render-image
• fix/cusrsor-s3-list-v1
• fix/db-install-roles-default-value
• fix/default-max-file-size-s3-post-upload
• fix/default-queue-env
• fix/deps-upgrade-custom-options
• fix/disable-content-type-parsers
• fix/do-not-drop-column-jwks-on-tenants
• fix/do-not-make-head-call-for-zero-byte-uploads
• fix/do-not-select-redundant-column
• fix/doc-export
• fix/dont-allow-buckets-named-public
• fix/env-file-backend-name
• fix/error-log-edge-case
• fix/exclude-empty-headers-s3
• fix/expose-etag-headers-for-s3-multipart-upload
• fix/filter-namespace-by-bucket
• fix/fix-search-to-return-proper-case
• fix/gracefully-handle-incomplete-multipart-uploads
• fix/grant-to-postgres-with-grant-option
• fix/handle-databse-timeout-errors
• fix/handle-max-clients-error-for-supavisor
• fix/header-validation-always-string
• fix/healthcheck-return-reply
• fix/improve-analytics-buckets
• fix/improve-db-errors
• fix/increase-put-vector-body-limit
• fix/info-headers
• fix/int-overflow-in-size-function
• fix/log-aborted-connections
• fix/merge-tenant-jwks-with-new-jwks-table
• fix/metadata-input-names
• fix/migrate-call
• fix/migration-check
• fix/migration-types-ordering
• fix/new-api-key-suport
• fix/onSend-hook-execution-time
• fix/operation-flag-on-s3-protocol
• fix/optional-queue-params
• fix/orphan-client
• fix/orphan-object-script-fixes
• fix/otel-hook
• fix/pagination-scanner
• fix/part-upload-remove-pipeline
• fix/pass-config-on-signature
• fix/percintile-metrics
• fix/pgboss-exactly-once-queue
• fix/pgboss-on-error-callback
• fix/pgboss-queue-init
• fix/pool-cleanup
• fix/prefixes-concurrency-cleanup
• fix/prevent-duplicate-logs
• fix/prevent-path-traversal-outside-of-storage-path
• fix/primary-keys-migration
• fix/proxy-headers-on-protocols
• fix/queue-connection-handling
• fix/queue-fetching-parallel-batches
• fix/refactor-folders
• fix/remove-default-content-range
• fix/return-bucket-id-on-info
• fix/revert-migrate-script-rename
• fix/rls-check-on-move
• fix/run-migrations-after-tenant-creation
• fix/s3-chuncked-upload
• fix/s3-complete-upload-typo
• fix/s3-count-on-list
• fix/s3-credential-cache-notify-fix
• fix/s3-delete-response
• fix/s3-locker-timing-issue
• fix/s3-object-list-v1-cursor
• fix/s3-object-pagination-with-url-encoding
• fix/safely-handle-concurrent-promise-rejection
• fix/signature-for-strict-clients
• fix/single-migration-strategy
• fix/start-single-migrations
• fix/storage-copy-across-buckets
• fix/storage-encoding-on-copy
• fix/strip-extra-slash-from-tus-path
• fix/support-orioledb-migrations
• fix/switch-from-jsonwebtoken-tojose
• fix/table-exists-check
• fix/tenant-hook-return-reply
• fix/tests
• fix/tus-locker-error-handling
• fix/tus-signed-url-validation
• fix/update-img-proxy-env-to-be-consistent-with-prod
• fix/update-to-fastify-v5
• fix/updating-pool-mode-on-put
• fix/use-handle-missing-metadata-in-file-adapter
• fix/use-original-encoding-header-if-available
• fix/use-pino-file-when-logflare-is-disabled
• fix/use-queue-in-empty-to-delete-objects
• fix/use-s3-compliant-component-encoding
• fix/validate-header
• fix/validate-s3-headers-before-sending
• fix/x-forwarded-port-local
• hf/add-jwks-support
• hf/bump-ci-node
• hf/prevent-role-in-presigned-url
• imgproxy/local-path-file-driver
• improvement/adapter-interface
• ip/logs-batch
• ip/release
• ip/release-2
• kiwicopple-patch-1
• km/feat-eks-cluster-discovery
• lenny/add-replace-existing-container-script
• lenny/exclude-bucket-type-for-old-storage-py-versions
• lenny/exclude-bucket-type-for-old-storage-py-versions-2
• logs/add-execution-time
• master
• metrics/add-agent-metrics
• migrations/allow-excluding-columns-for-old-migrations
• migrations/optimise-migrations
• migrations/sync-mode
• missing-content-type
• moinitoring/improvement
• monitoring/otel-metrics
• monitoring/stream-monitoring
• monitoring/upload-stream
• multitenant/allow-increase-img-transform-res-per-tenant
• multitenant/migrations-execution
• node24-for-semantic
• observability/delta-metrics
• pcnc/batch-size
• perf/improve-handling-of-request-cancellation
• perf/query-cancellation-stricter-timeouts
• perf/search-query-optimized
• pgboss/v10
• rebuild/v.1.11.6
• refs/pull/444/merge
• release/0.48.0
• release/1.8.2
• release/v1.0.10
• revert/fx-attrs-upgrade
• rollback/trigger-prefixes
• s3-protocol/fix-file-driver
• s3/chunked-upload-signature-verification-fix
• s3/consistent-rls-for-session-token
• s3/delete-objects-array-validation
• s3/get-object-tagging-stup
• s3/omit-next-continuation-token-when-empty
• s3/protocol
• s3/signed-urls
• s3/split-clients
• shutdown/signals
• storage/accept-forwarded-header-for-signature
• storage/authenticated-query-token
• storage/do-not-validate-mime-type-on-empty-folder
• storage/docker-image-deps
• storage/fix-get-presigned-urls
• storage/handler-on-error-on-client
• storage/operation
• storage/otel-tracing
• storage/push-latest
• storage/queue-worker-mode
• storage/webhooks-max-http-connections
• traces/add-more-traces
• traces/custom-spans
• tracing/optional-log-tracing
• tracing/stream-monitoring
• tus/allow-disabling-s3-tags
• tus/dont-cache-metadata
• tus/fix-locker-release
• tus/upgrade-latest
• tyler/STORAGE-258/user-metadata-in-rls
• tyler/STORAGE-292/amend-migrations-to-prevent-crashes
• tyler/chore/pgbouncer-app-name
• tyler/chore/update-pg-applicaition-name
• tyler/feat/add-pagination-get-buckets
• tyler/fix/coveralls-badge
• upgrade/pg-boss-version

Build # 22620404676

Build Type

Pull #883

github

Committed by web-flow

Commit Message

Merge bf6e31777 into 734fea0b8

Pull Request Pull Request #883: fix: path traversal in file backend

Run Details

3933 of 5624 branches covered (69.93%)

Branch coverage included in aggregate %.

73 of 73 new or added lines in 1 file covered. (100.0%)

2 existing lines in 1 file now uncovered.

26516 of 34419 relevant lines covered (77.04%)

190.39 hits per line