sanitiation

Author: KSemenenko

Integraions/ManagedCode.Storage.Server/ChunkUpload/ChunkUploadService.cs

@@ -47,7 +47,10 @@ public async Task<Result> AppendChunkAsync(FileUploadPayload payload, Cancellati
         var descriptor = payload.Payload;
         var uploadId = ChunkUploadDescriptor.ResolveUploadId(descriptor);
 
-        var session = _sessions.GetOrAdd(uploadId, static (key, state) =>
+        // Sanitize upload ID to prevent path traversal
+        var sanitizedUploadId = SanitizeUploadId(uploadId);
+
+        var session = _sessions.GetOrAdd(sanitizedUploadId, static (key, state) =>
         {
             var descriptor = state.Payload;
             var workingDirectory = Path.Combine(state.Options.TempPath, key);
@@ -151,6 +154,29 @@ public void Abort(string uploadId)
         }
     }
 
+    private static string SanitizeUploadId(string uploadId)
+    {
+        if (string.IsNullOrWhiteSpace(uploadId))
+            throw new ArgumentException("Upload ID cannot be null or empty", nameof(uploadId));
+
+        // Remove any path traversal sequences
+        uploadId = uploadId.Replace("..", string.Empty, StringComparison.Ordinal);
+        uploadId = uploadId.Replace("/", string.Empty, StringComparison.Ordinal);
+        uploadId = uploadId.Replace("\\", string.Empty, StringComparison.Ordinal);
+
+        // Only allow alphanumeric characters, hyphens, and underscores
+        var allowedChars = uploadId.Where(c => char.IsLetterOrDigit(c) || c == '-' || c == '_').ToArray();
+        var sanitized = new string(allowedChars);
+
+        if (string.IsNullOrWhiteSpace(sanitized))
+            throw new ArgumentException("Upload ID contains only invalid characters", nameof(uploadId));
+
+        if (sanitized.Length > 128)
+            throw new ArgumentException("Upload ID is too long", nameof(uploadId));
+
+        return sanitized;
+    }
+
     private static async Task MergeChunksAsync(string destinationFile, IReadOnlyCollection<string> chunkFiles, CancellationToken cancellationToken)
     {
         await using var destination = new FileStream(destinationFile, FileMode.Create, FileAccess.Write, FileShare.None, bufferSize: MergeBufferSize, useAsync: true);

Integraions/ManagedCode.Storage.Server/Controllers/StorageControllerBase.cs

@@ -57,6 +57,13 @@ public virtual async Task<Result<BlobMetadata>> UploadAsync([FromForm] IFormFile
             return Result<BlobMetadata>.Fail(HttpStatusCode.BadRequest, "File payload is missing");
         }
 
+        // Validate file size if enabled
+        if (_options.EnableFileSizeValidation && _options.MaxFileSize > 0 && file.Length > _options.MaxFileSize)
+        {
+            return Result<BlobMetadata>.Fail(HttpStatusCode.RequestEntityTooLarge,
+                $"File size {file.Length} bytes exceeds maximum allowed size of {_options.MaxFileSize} bytes");
+        }
+
         try
         {
             return await Result.From(() => this.UploadFormFileAsync(Storage, file, cancellationToken: cancellationToken), cancellationToken);
@@ -164,6 +171,13 @@ public virtual async Task<Result> UploadChunkAsync([FromForm] FileUploadPayload
             return Result.Fail(HttpStatusCode.BadRequest, "UploadId is required");
         }
 
+        // Validate chunk size if enabled
+        if (_options.EnableFileSizeValidation && _options.MaxChunkSize > 0 && payload.File.Length > _options.MaxChunkSize)
+        {
+            return Result.Fail(HttpStatusCode.RequestEntityTooLarge,
+                $"Chunk size {payload.File.Length} bytes exceeds maximum allowed chunk size of {_options.MaxChunkSize} bytes");
+        }
+
         return await ChunkUploadService.AppendChunkAsync(payload, cancellationToken);
     }
 
@@ -228,6 +242,16 @@ public class StorageServerOptions
     /// </summary>
     public const int DefaultMultipartBoundaryLengthLimit = 70;
 
+    /// <summary>
+    /// Default maximum file size: 100 MB.
+    /// </summary>
+    public const long DefaultMaxFileSize = 100 * 1024 * 1024;
+
+    /// <summary>
+    /// Default maximum chunk size: 10 MB.
+    /// </summary>
+    public const long DefaultMaxChunkSize = 10 * 1024 * 1024;
+
     /// <summary>
     /// Gets or sets a value indicating whether range processing is enabled for streaming responses.
     /// </summary>
@@ -242,4 +266,22 @@ public class StorageServerOptions
     /// Gets or sets the maximum allowed length for multipart boundaries when parsing raw upload streams.
     /// </summary>
     public int MultipartBoundaryLengthLimit { get; set; } = DefaultMultipartBoundaryLengthLimit;
+
+    /// <summary>
+    /// Gets or sets the maximum file size in bytes that can be uploaded. Set to 0 to disable the limit.
+    /// Default is 100 MB.
+    /// </summary>
+    public long MaxFileSize { get; set; } = DefaultMaxFileSize;
+
+    /// <summary>
+    /// Gets or sets the maximum chunk size in bytes for chunk uploads. Set to 0 to disable the limit.
+    /// Default is 10 MB.
+    /// </summary>
+    public long MaxChunkSize { get; set; } = DefaultMaxChunkSize;
+
+    /// <summary>
+    /// Gets or sets whether file size validation is enabled.
+    /// Default is true.
+    /// </summary>
+    public bool EnableFileSizeValidation { get; set; } = true;
 }

ManagedCode.Storage.VirtualFileSystem/Core/VfsPath.cs

@@ -1,6 +1,7 @@
 using System;
 using System.Collections.Generic;
 using System.IO;
+using System.Linq;
 
 namespace ManagedCode.Storage.VirtualFileSystem.Core;
 
@@ -95,6 +96,14 @@ public string ToBlobKey()
     /// </summary>
     private static string NormalizePath(string path)
     {
+        // Security: Check for null bytes (potential security issue)
+        if (path.Contains('\0'))
+            throw new ArgumentException("Path contains null bytes", nameof(path));
+
+        // Security: Check for control characters
+        if (path.Any(c => char.IsControl(c) && c != '\t' && c != '\r' && c != '\n'))
+            throw new ArgumentException("Path contains control characters", nameof(path));
+
         // 1. Replace backslashes with forward slashes
         path = path.Replace('\\', '/');
 

Storages/ManagedCode.Storage.FileSystem/FileSystemStorage.cs

@@ -55,14 +55,50 @@ public override async IAsyncEnumerable<BlobMetadata> GetBlobMetadataListAsync(st
             if (cancellationToken.IsCancellationRequested)
                 yield break;
 
-            var blobMetadata = await GetBlobMetadataAsync(file, cancellationToken);
+            var relativePath = Path.GetRelativePath(StorageClient, file)
+                .Replace('\\', '/');
+
+            var (relativeDirectory, relativeFileName) = SplitRelativePath(relativePath);
+            MetadataOptions options = new()
+            {
+                FileName = relativeFileName,
+                Directory = relativeDirectory
+            };
+
+            var blobMetadata = await GetBlobMetadataAsync(options, cancellationToken);
             cancellationToken.ThrowIfCancellationRequested();
 
             if (blobMetadata.IsSuccess)
+            {
                 yield return blobMetadata.Value;
+                continue;
+            }
         }
     }
 
+    private static (string? Directory, string FileName) SplitRelativePath(string relativePath)
+    {
+        if (string.IsNullOrWhiteSpace(relativePath))
+            throw new ArgumentException("Relative path cannot be null or empty", nameof(relativePath));
+
+        var normalizedPath = relativePath.Replace('\\', '/');
+        var separatorIndex = normalizedPath.LastIndexOf('/');
+
+        if (separatorIndex < 0)
+            return (null, normalizedPath);
+
+        var directory = separatorIndex == 0
+            ? null
+            : normalizedPath[..separatorIndex];
+
+        var fileName = normalizedPath[(separatorIndex + 1)..];
+
+        if (string.IsNullOrWhiteSpace(fileName))
+            throw new InvalidOperationException($"Invalid relative path: '{relativePath}'");
+
+        return (string.IsNullOrWhiteSpace(directory) ? null : directory, fileName);
+    }
+
     public override async Task<Result<Stream>> GetStreamAsync(string fileName, CancellationToken cancellationToken = default)
     {
         try
@@ -315,19 +351,147 @@ protected override async Task<Result<bool>> HasLegalHoldInternalAsync(LegalHoldO
 
     private string GetPathFromOptions(BaseOptions options)
     {
-        string filePath;
-        if (options.Directory is not null)
+        if (string.IsNullOrWhiteSpace(options.FileName))
+            throw new ArgumentException("File name cannot be null or empty", nameof(options.FileName));
+
+        var (directoryFromFileName, fileNameOnly) = SplitDirectoryFromFileName(options.FileName);
+
+        // Sanitize and validate components
+        var sanitizedFileName = SanitizeFileName(fileNameOnly);
+
+        var combinedDirectory = CombineDirectoryParts(options.Directory, directoryFromFileName);
+        var sanitizedDirectory = combinedDirectory is not null
+            ? SanitizeDirectory(combinedDirectory)
+            : null;
+
+        if (sanitizedDirectory is not null)
         {
-            EnsureDirectoryExist(options.Directory);
-            filePath = Path.Combine(StorageClient, options.Directory, options.FileName);
+            EnsureDirectoryExist(sanitizedDirectory);
         }
-        else
+
+        string filePath = sanitizedDirectory is not null
+            ? Path.Combine(StorageClient, sanitizedDirectory, sanitizedFileName)
+            : Path.Combine(StorageClient, sanitizedFileName);
+
+        // Get full paths for comparison
+        var fullPath = Path.GetFullPath(filePath);
+        var baseFullPath = Path.GetFullPath(StorageClient);
+
+        // Verify the final path is within StorageClient directory
+        if (!fullPath.StartsWith(baseFullPath, StringComparison.OrdinalIgnoreCase))
         {
-            filePath = Path.Combine(StorageClient, options.FileName);
+            throw new UnauthorizedAccessException($"Access to path '{options.FileName}' is denied. Path traversal detected.");
+        }
+
+        EnsureDirectoryExist(Path.GetDirectoryName(fullPath)!);
+        return fullPath;
+    }
+
+    private static (string? Directory, string FileName) SplitDirectoryFromFileName(string fileName)
+    {
+        var normalized = fileName.Replace('\\', '/');
+        var lastSlash = normalized.LastIndexOf('/');
+
+        if (lastSlash < 0)
+            return (null, normalized);
+
+        var directory = normalized[..lastSlash];
+        var name = normalized[(lastSlash + 1)..];
+        return (directory, name);
+    }
+
+    private static string? CombineDirectoryParts(string? primary, string? secondary)
+    {
+        var parts = new List<string>();
+
+        void AddPart(string? value)
+        {
+            if (string.IsNullOrWhiteSpace(value))
+                return;
+
+            var normalized = value.Replace('\\', '/');
+            foreach (var segment in normalized.Split('/', StringSplitOptions.RemoveEmptyEntries))
+            {
+                parts.Add(segment);
+            }
+        }
+
+        AddPart(primary);
+        AddPart(secondary);
+
+        if (parts.Count == 0)
+            return null;
+
+        return string.Join('/', parts);
+    }
+
+    private static string SanitizeFileName(string fileName)
+    {
+        if (string.IsNullOrWhiteSpace(fileName))
+            throw new ArgumentException("File name cannot be null or empty", nameof(fileName));
+
+        var originalFileName = fileName;
+
+        // Check for path traversal attempts - throw exception if detected
+        if (fileName.Contains("..", StringComparison.Ordinal))
+            throw new UnauthorizedAccessException($"Access to path '{originalFileName}' is denied. Path traversal detected.");
+
+        // If there are path separators, extract only the filename part
+        // This handles cases like /tmp/file.txt -> file.txt
+        if (fileName.Contains('/') || fileName.Contains('\\'))
+        {
+            fileName = Path.GetFileName(fileName);
+        }
+
+        if (string.IsNullOrWhiteSpace(fileName))
+            throw new ArgumentException("Invalid file name", nameof(fileName));
+
+        // Remove any invalid filename characters
+        var invalidChars = Path.GetInvalidFileNameChars();
+        var sanitized = fileName;
+        foreach (var c in invalidChars)
+        {
+            sanitized = sanitized.Replace(c.ToString(), string.Empty);
+        }
+
+        if (string.IsNullOrWhiteSpace(sanitized))
+            throw new ArgumentException("File name contains only invalid characters", nameof(fileName));
+
+        return sanitized;
+    }
+
+    private static string SanitizeDirectory(string directory)
+    {
+        if (string.IsNullOrWhiteSpace(directory))
+            return string.Empty;
+
+        var originalDirectory = directory;
+
+        // Check for path traversal attempts - throw exception if detected
+        if (directory.Contains("..", StringComparison.Ordinal))
+            throw new UnauthorizedAccessException($"Access to path '{originalDirectory}' is denied. Path traversal detected.");
+
+        // Normalize path separators
+        directory = directory.Replace('\\', '/');
+
+        // Remove leading and trailing slashes
+        directory = directory.Trim('/');
+
+        // Validate each directory segment
+        var segments = directory.Split('/', StringSplitOptions.RemoveEmptyEntries);
+        var invalidChars = Path.GetInvalidFileNameChars();
+
+        foreach (var segment in segments)
+        {
+            if (segment.IndexOfAny(invalidChars) >= 0)
+                throw new ArgumentException($"Directory path contains invalid characters: {segment}", nameof(directory));
+
+            // Additional check for suspicious segments
+            if (segment == ".." || segment == ".")
+                throw new UnauthorizedAccessException($"Access to path '{originalDirectory}' is denied. Path traversal detected.");
         }
 
-        EnsureDirectoryExist(Path.GetDirectoryName(filePath)!);
-        return filePath;
+        return string.Join(Path.DirectorySeparatorChar, segments);
     }
 
     private void EnsureDirectoryExist(string directory)

Tests/ManagedCode.Storage.Tests/AspNetTests/Abstracts/BaseStreamControllerTests.cs

@@ -46,7 +46,7 @@ public async Task StreamFile_WhenFileExists_SaveToTempStorage_ReturnSuccess()
         var streamedValue = streamFileResult.Value ?? throw new InvalidOperationException("Stream result does not contain a stream");
 
         await using var stream = streamedValue;
-        await using var newLocalFile = await LocalFile.FromStreamAsync(stream, Path.GetTempPath(), Guid.NewGuid()
+        await using var newLocalFile = await LocalFile.FromStreamAsync(stream, Environment.CurrentDirectory, Guid.NewGuid()
             .ToString("N") + extension);
 
         var streamedFileCRC = Crc32Helper.CalculateFileCrc(newLocalFile.FilePath);

Tests/ManagedCode.Storage.Tests/AspNetTests/Azure/AzureSignalRStorageTests.cs

@@ -120,7 +120,7 @@ public async Task DownloadStreamAsync_WhenBlobExists_ShouldDownloadContent()
 
         var expectedCrc = Crc32Helper.CalculateFileCrc(localFile.FilePath);
         memory.Position = 0;
-        await using var downloadedFile = await LocalFile.FromStreamAsync(memory, Path.GetTempPath(), Guid.NewGuid().ToString("N") + localFile.FileInfo.Extension);
+        await using var downloadedFile = await LocalFile.FromStreamAsync(memory, Environment.CurrentDirectory, Guid.NewGuid().ToString("N") + localFile.FileInfo.Extension);
         var downloadedCrc = Crc32Helper.CalculateFileCrc(downloadedFile.FilePath);
         downloadedCrc.ShouldBe(expectedCrc);
 

Tests/ManagedCode.Storage.Tests/Common/FileHelper.cs

@@ -24,7 +24,7 @@ public static LocalFile GenerateLocalFile(LocalFile localFile, int byteSize)
 
     public static LocalFile GenerateLocalFile(string fileName, int byteSize)
     {
-        var path = Path.Combine(Path.GetTempPath(), fileName);
+        var path = Path.Combine(Environment.CurrentDirectory, fileName);
         var localFile = new LocalFile(path);
 
         var fs = localFile.FileStream;
@@ -94,4 +94,4 @@ public static string GenerateRandomFileContent(int charCount = 250_000)
             .Select(s => s[Random.Next(s.Length)])
             .ToArray());
     }
-}
+}

Tests/ManagedCode.Storage.Tests/Core/Crc32HelperTests.cs

@@ -12,7 +12,7 @@ public class Crc32HelperTests
     [Fact]
     public void CalculateFileCrc_ShouldMatchInMemoryCalculation()
     {
-        var tempPath = Path.Combine(Path.GetTempPath(), $"crc-test-{Guid.NewGuid():N}.bin");
+        var tempPath = Path.Combine(Environment.CurrentDirectory, $"crc-test-{Guid.NewGuid():N}.bin");
         try
         {
             var payload = new byte[4096 + 123];

Tests/ManagedCode.Storage.Tests/Server/ChunkUploadServiceTests.cs

@@ -15,7 +15,7 @@ namespace ManagedCode.Storage.Tests.Server;
 
 public class ChunkUploadServiceTests : IAsyncLifetime
 {
-    private readonly string _root = Path.Combine(Path.GetTempPath(), "managedcode-chunk-tests", Guid.NewGuid().ToString());
+    private readonly string _root = Path.Combine(Environment.CurrentDirectory, "managedcode-chunk-tests", Guid.NewGuid().ToString());
     private ChunkUploadOptions _options = null!;
 
     public Task InitializeAsync()