fix(services): confine compfs/monoiofs object keys to root by rejecting parent-dir traversal#7702
Merged
erickguan merged 2 commits intoJun 10, 2026
Conversation
dosubot
Bot
added
size:L
…ng parent-dir traversal
tonghuaroot
force-pushed
the
fix/confine-compfs-monoiofs-root
branch
from
59442fc to
a86bab4
Compare
erickguan
reviewed
Jun 7, 2026
| /// Join a caller-supplied key onto `self.root` while keeping the result | ||
| /// confined to that root. | ||
| /// | ||
| /// `normalize_path` (opendal-core) strips leading `/` and empty segments but |
Member
There was a problem hiding this comment.
@Xuanwo I don't like LLM's code explanation as documentation. I would modify the comments to document the decision why we are doing this.
The code itself is of course good.
Contributor
Author
There was a problem hiding this comment.
Good point, thanks — done in d734de6. Trimmed the prepare_path comments in both crates to say why the .. reject is there (root confinement; core's normalize_path leaves ./.. unresolved) instead of restating the mechanics. Also tightened the PR description.
…-only Address review on apache#7702: the prepare_path doc comments now state why the `..` reject exists (root confinement; core's normalize_path deliberately leaves `.`/`..` unresolved) rather than narrating PathBuf/normalize_path mechanics.
Contributor
Author
|
Gentle ping — this has been approved by @erickguan and CI is green. Anything else needed before merge? |
Member
|
Thanks! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Which issue does this PR close?
Continuation of #7684; discussed with the PMC on the security list rather than a public issue. Happy to open one if preferred.
Rationale for this change
#7684 confined the
fsbackend against..traversal. The two other local-filesystem backends,compfsandmonoiofs, have the same gap: both join keys ontorootwith no..reject and resolution happens against the host kernel, so a key like../../etc/passwdescapesroot. Remote backends (webdav,sftp,hdfs, …) are out of scope — their paths resolve server-side.What changes are included in this PR?
compfs/monoiofs:prepare_pathnow rejects keys whose components include.., returningNotFound; every key-join site already routes through it. Normal keys,., trailing slashes, anda..b-substring keys are unchanged.Are there any user-facing changes?
No API change. A key containing
..is now rejected withNotFoundinstead of resolving outsideroot.