fix(Storage): Implement path containment to prevent traversal attacks (#8658)

Author: thiyaguk09

Storage/src/StorageObject.php

@@ -688,9 +688,24 @@ public function downloadAsString(array $options = [])
      *           If provided one must also include an `encryptionKey`.
      * }
      * @return StreamInterface
+     * @throws \RuntimeException
      */
     public function downloadToFile($path, array $options = [])
     {
+        // throws an exception in the case of `..` segments, paths
+        // starting with `/`, and Windows drive letters (e.g., `C:`).
+        $normalizedPath = str_replace('\\', '/', $path);
+        $pathSegments = explode('/', $normalizedPath);
+
+        if (in_array('..', $pathSegments, true) ||
+            strpos($normalizedPath, '/') === 0 ||
+            preg_match('/^[a-zA-Z]:\//', $normalizedPath)
+        ) {
+            throw new \RuntimeException(
+                'Path traversal is not allowed. File path is outside the designated directory.'
+            );
+        }
+
         $source = $this->downloadAsStream($options);
         $destination = Utils::streamFor(fopen($path, 'w'));
 

Storage/tests/System/ManageObjectsTest.php

@@ -443,7 +443,7 @@ public function testDownloadsToFileShouldNotCreateFileWhenObjectNotFound()
         $objectName = uniqid(self::TESTING_PREFIX);
         $testObject = self::$bucket->object($objectName);
         $exceptionString = 'No such object';
-        $downloadFilePath = __DIR__ . '/' . $objectName;
+        $downloadFilePath = $objectName;
 
         $throws = false;
         try {
@@ -457,6 +457,31 @@ public function testDownloadsToFileShouldNotCreateFileWhenObjectNotFound()
         $this->assertFileDoesNotExist($downloadFilePath);
     }
 
+    /**
+     * @dataProvider provideInvalidFilePaths
+     */
+    public function testDownloadsToFileShouldBlockPathTraversal(string $invalidFilePath)
+    {
+        $this->expectException(\RuntimeException::class);
+        $this->expectExceptionMessage(
+            'Path traversal is not allowed. File path is outside the designated directory.'
+        );
+
+        $objectName = uniqid(self::TESTING_PREFIX);
+        $testObject = self::$bucket->object($objectName);
+
+        $testObject->downloadToFile($invalidFilePath . $objectName);
+    }
+
+    public function provideInvalidFilePaths()
+    {
+        return [
+            ['storage/../..'], // relative traversal
+            ['/storage/'], // absolute filepath
+            ['C:/storage/'], // windows drive letters
+        ];
+    }
+
     public function testDownloadsPublicFileWithUnauthenticatedClient()
     {
         $objectName = uniqid(self::TESTING_PREFIX);

Storage/tests/Unit/StorageObjectTest.php

@@ -540,7 +540,7 @@ public function testDownloadsToFileShouldNotCreateFileWhenObjectNotFound()
         $this->connection->downloadObject(Argument::any())
             ->willThrow(new NotFoundException($exceptionString));
         $object = 'non_existent_object.txt';
-        $downloadFilePath = __DIR__ . '/storage_test_downloads_to_file.txt';
+        $downloadFilePath = 'storage_test_downloads_to_file.txt';
         $object = new StorageObject($this->connection->reveal(), $object, self::BUCKET);
         $throws = false;
         try {
@@ -554,6 +554,33 @@ public function testDownloadsToFileShouldNotCreateFileWhenObjectNotFound()
         $this->assertFileDoesNotExist($downloadFilePath);
     }
 
+    /**
+     * @dataProvider provideInvalidFilePaths
+     */
+    public function testDownloadsToFileShouldBlockPathTraversal(string $invalidFilePath)
+    {
+        $this->expectException(\RuntimeException::class);
+        $this->expectExceptionMessage(
+            'Path traversal is not allowed. File path is outside the designated directory.'
+        );
+        $stream = Utils::streamFor('mock content');
+        $this->connection->downloadObject(Argument::any())
+            ->willReturn($stream);
+        $objectName = 'storage_test_downloads_to_file.txt';
+        $object = new StorageObject($this->connection->reveal(), $objectName, self::BUCKET);
+
+        $object->downloadToFile($invalidFilePath . $objectName);
+    }
+
+    public function provideInvalidFilePaths()
+    {
+        return [
+            ['storage/../..'], // relative traversal
+            ['/storage/'], // absolute filepath
+            ['C:/storage/'], // windows drive letters
+        ];
+    }
+
     public function testDownloadAsStreamWithoutExtraOptions()
     {
         $bucket = 'bucket';