Skip to content

Fix path traversal when generating output file name in GetDocumentInsider #64760

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
JRLK0 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix path traversal when generating output file name in GetDocumentInsider #64760

JRLK0 wants to merge 1 commit into from
+26 −2

Conversation

@JRLK0
Copy link

@JRLK0 JRLK0 commented Dec 12, 2025

Summary

Fixes an issue where GetDocumentInsider used the raw documentName value when
constructing the output file path, allowing directory separators or traversal
sequences to influence the generated path.

Details

Although a sanitized version of documentName was computed, it was not used when
building the final output file name.

This change ensures the sanitized value is always used and treats directory
separators consistently across platforms.

Tests

Adds a regression test to ensure values such as a/../b or a\..\b cannot affect
the output path.

Notes

This issue was previously reported to MSRC (VULN-168240) and classified as a
non-serviciable security case.

Fixes #64758

@JRLK0
Enhance document name sanitization in GetDocumentCommandWorker
7038a94 
- Updated the handling of invalid filename characters to include directory separators, ensuring consistent behavior across platforms.
- Modified the output path generation to use the sanitized document name, preventing user-controlled paths from being interpreted incorrectly.
- Added unit tests to validate the document name sanitization logic, covering various input scenarios.
@github-actions github-actions bot added the needs-area-label Used by the dotnet-issue-labeler to label those issues which couldn't be triaged automatically label Dec 12, 2025
@dotnet-policy-service dotnet-policy-service bot added the community-contribution Indicates that the PR has been added by a community member label Dec 12, 2025
@dotnet-policy-service
Copy link
Contributor

dotnet-policy-service bot commented Dec 12, 2025

Thanks for your PR, @@JRLK0. Someone from the team will get assigned to your PR shortly and we'll get it reviewed.

@JRLK0
Copy link
Author

JRLK0 commented Dec 12, 2025

@dotnet-policy-service agree

@martincostello martincostello added area-commandlinetools Includes: Command line tools, dotnet-dev-certs, dotnet-user-jwts, and OpenAPI feature-openapi and removed needs-area-label Used by the dotnet-issue-labeler to label those issues which couldn't be triaged automatically labels Dec 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area-commandlinetools Includes: Command line tools, dotnet-dev-certs, dotnet-user-jwts, and OpenAPI community-contribution Indicates that the PR has been added by a community member feature-openapi

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

GetDocumentInsider uses unsanitized documentName when generating output file path

2 participants

@JRLK0 @martincostello