fix: path traversal false positive on filenames containing ..

[Maxwell Calkin (MaxwellCalkin)]

Description

Fixes #34961

FilesystemFileSearchMiddleware._validate_and_resolve_path() checks for path traversal using ".." in path, which is a substring match. This incorrectly rejects any path where .. appears anywhere in the string — including legitimate filenames like Next.js catch-all routes ([...nextauth].ts).

Fix

Replace the substring check with a Path(path).parts membership check so that .. is only rejected when it appears as a discrete path segment (i.e., actual directory traversal like /../ or /foo/../bar), not when it appears inside a filename.

Before:

if ".." in path or "~" in path:

After:

segments = Path(path).parts
if ".." in segments or "~" in segments:

The same fix is applied to the ~ check for consistency.

Security is maintained by three layers of defense:

1. Segment check (this fix) — rejects .. and ~ as path segments
2. Path.resolve() — canonicalizes the path, collapsing any .. segments
3. relative_to() containment check — ensures the resolved path is within the root directory

Tests

Added 3 tests to TestPathTraversalSecurity:

• test_path_with_dots_in_filename_not_blocked — [...nextauth].ts glob works
• test_path_with_dots_in_directory_name_not_blocked — my..folder directory works
• test_grep_path_with_dots_in_filename — grep on [...nextauth].ts works

All existing path traversal security tests continue to pass since /../, ~/, etc. contain ../~ as discrete path segments.

[nidhish (nidhishgajjar)]

Orb Code Review (powered by GLM 5.1 on Orb Cloud)

PR #35644: fix: path traversal false positive on filenames containing ..

Findings

Core fix: segment-based path traversal check ✅ Correct and well-targeted

The old code used a simple substring check:

if ".." in path or "~" in path:

This incorrectly rejected any path containing .. anywhere — including legitimate files like Next.js catch-all routes ([...nextauth].ts) or directories like my..folder.

The fix correctly uses path segments:

segments = Path(path).parts
if ".." in segments or "~" in segments:

This only rejects paths where .. or ~ appear as discrete path segments (i.e., actual directory traversal attempts), while allowing them within filenames. For example:

• /pages/api/auth/[...nextauth].ts → segments: ("/", "pages", "api", "auth", "[...nextauth].ts") → ✅ allowed
• /../../etc/passwd → segments: ("/", "..", "..", "etc", "passwd") → ❌ blocked

Security: The defense-in-depth full_path.relative_to(self.root_path) check after resolve() remains in place as the true security boundary. The segment-based check serves as a first-pass filter, and both layers working together is good practice.

Tests: Good test coverage with three new test cases covering filenames and directory names containing .. for both glob and grep operations.

Summary: A clean, well-targeted fix for a false positive in the path traversal protection. The segment-based approach correctly distinguishes between actual traversal attempts (.. as a path component) and legitimate filenames containing ... Security posture is maintained.

Assessment: approve