Skip to content

fix: Sanitize fileName to prevent path traversal vulnerability (VULN-1123)#259

Open
fix-it-felix-sentry[bot] wants to merge 1 commit intomainfrom
fix/path-traversal-vuln-1123
Open

fix: Sanitize fileName to prevent path traversal vulnerability (VULN-1123)#259
fix-it-felix-sentry[bot] wants to merge 1 commit intomainfrom
fix/path-traversal-vuln-1123

Conversation

@fix-it-felix-sentry
Copy link
Copy Markdown

@fix-it-felix-sentry fix-it-felix-sentry bot commented Feb 18, 2026

Summary

This PR fixes a path traversal vulnerability by sanitizing user-provided file names before using them in file path construction.

Changes

  • Sanitize fileName parameter in Store() method using Path.GetFileName() to extract only the filename component
  • Sanitize fileName in conflict file handling within StoreIsolated() method
  • Add validation to reject empty or null filenames after sanitization

Security Impact

The application was building file paths from potentially untrusted data (user-provided file names), which could lead to path traversal attacks. An attacker could manipulate the path using sequences like ../../../ to access or write files outside the intended directories.

The fix uses Path.GetFileName() which:

  • Removes any directory path components from the input
  • Prevents path traversal sequences like ../ from being effective
  • Returns only the actual filename without any path information

Testing

Existing tests cover the changed code paths and will verify that:

  • Normal file uploads continue to work correctly
  • File names are properly extracted and stored
  • Symbol processing continues as expected

References

@fix-it-felix-sentry
fix: sanitize fileName to prevent path traversal vulnerability
91f87e2 
This fixes VULN-1123 by sanitizing user-provided file names to prevent
path traversal attacks. The fix uses Path.GetFileName() to extract only
the filename component, removing any directory path traversal sequences
like '../' that could be used to access files outside the intended
directories.

Changes:
- Sanitize fileName parameter in Store() method before using it in path construction
- Sanitize fileName in conflict file handling within StoreIsolated() method
- Add validation to reject empty or null filenames after sanitization

References:
- https://linear.app/getsentry/issue/VULN-1123
- https://owasp.org/www-community/attacks/Path_Traversal
@linear
Copy link
Copy Markdown

linear bot commented Feb 18, 2026

VULN-1123 Path Traversal vulnerabilities in getsentry/symbol-collector in 16 locations

@github-actions
Copy link
Copy Markdown

github-actions bot commented Feb 18, 2026

Semver Impact of This PR

🟢 Patch (bug fixes)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

New Features ✨

  • Upgrade Sentry SDK to 6.1.0-alpha.1 and add trace-connected met… by bruno-garcia in #252

Bug Fixes 🐛

  • (cloudbuild) Use actual repo name parameter by Flash0ver in #256
  • Sanitize fileName to prevent path traversal vulnerability (VULN-1123) by fix-it-felix-sentry[bot] in #259
  • Clean up action version comments by BYK in #253

Internal Changes 🔧

Release

  • Fix changelog-preview permissions by BYK in #257
  • Bump Craft version to fix issues by BYK in #254
  • Switch from action-prepare-release to Craft by BYK in #251

Other

  • (deps) Upgrade Sentry SDK to 6.1.0 by Flash0ver in #258
  • Use pull_request_target for changelog preview by BYK in #255

🤖 This preview updates automatically when you update the PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants