Skip to content

fix(utils): add path traversal validation for ShardedWal groupId #1232

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
BioPhoton merged 4 commits into from
Feb 1, 2026
Merged

fix(utils): add path traversal validation for ShardedWal groupId #1232

BioPhoton merged 4 commits into from
Feb 1, 2026
+112 −3

Conversation

Copy link

Copilot AI commented Feb 1, 2026
edited
Loading

The groupId parameter in ShardedWal can come from user input or environment variables and is used directly in path.join() operations without validation. This allows path traversal attacks via values like ../../../etc/passwd or ..\\windows\\system32.

Changes

  • Added validateGroupId() function to reject:

    • Path separators (/, \)
    • Relative path components (., ..)
    • Null bytes
    • Empty/whitespace values
    • Paths that normalize unsafely

  • Updated constructor to use != null checks instead of truthy checks, ensuring empty strings are validated rather than falling through to auto-generation

  • Applied validation to all groupId sources: explicit constructor parameter, environment variables (measureNameEnvVar), and auto-generated values

// Before: vulnerable to path traversal
new ShardedWal({ 
  groupId: '../../../etc',  // ❌ writes to /path/to/base/../../../etc/
  // ...
});

// After: validation blocks attack
new ShardedWal({ 
  groupId: '../../../etc',  // ✓ throws "groupId cannot contain path separators"
  // ...
});

Testing

Added 10 test cases covering path traversal attempts, null bytes, relative paths, and valid groupIds. CodeQL scan confirms no remaining vulnerabilities.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI mentioned this pull request Feb 1, 2026
Open
Copilot AI and others added 3 commits February 1, 2026 22:01
@BioPhoton
fix(utils): add path traversal validation for groupId in ShardedWal
da64de1 
Co-authored-by: BioPhoton <10064416+BioPhoton@users.noreply.github.com>
@BioPhoton
fix(utils): improve validation error messages for clarity
3c68524 
Co-authored-by: BioPhoton <10064416+BioPhoton@users.noreply.github.com>
@BioPhoton
test(utils): add env var cleanup to prevent test pollution
a3d80f2 
Co-authored-by: BioPhoton <10064416+BioPhoton@users.noreply.github.com>
Copy link
Author

Copilot AI commented Feb 1, 2026

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • cloud.nx.app
    • Triggering command: /usr/local/bin/node node ./bin/post-install (dns block)
    • Triggering command: /usr/local/bin/node node /home/REDACTED/work/cli/cli/node_modules/.bin/nx unit-test utils --testPathPattern=wal-sharded.unit.test (dns block)
    • Triggering command: /usr/local/bin/node node /home/REDACTED/work/cli/cli/node_modules/.bin/nx unit-test utils --testPathPattern=wal-sharded.unit.test d -n 10 (dns block)
  • www.googleapis.com
    • Triggering command: /usr/local/bin/node node install.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI changed the title [WIP] Address feedback on sharded WAL refactor implementation fix(utils): add path traversal validation for ShardedWal groupId Feb 1, 2026
Copilot AI requested a review from BioPhoton February 1, 2026 22:06
@BioPhoton BioPhoton marked this pull request as ready for review February 1, 2026 23:33
@BioPhoton BioPhoton merged commit 243e105 into feat/utils/sharded-profiling Feb 1, 2026
4 of 6 checks passed
@BioPhoton BioPhoton deleted the copilot/sub-pr-1231 branch February 1, 2026 23:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@BioPhoton BioPhoton BioPhoton approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@BioPhoton BioPhoton

Copilot code review Copilot

Labels

🔬 testing writing tests 🧩 utils

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BioPhoton