Skip to content

security(upload): block path traversal in multipart file upload paths#2218

Draft
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/application-security-review-b8cd
Draft

security(upload): block path traversal in multipart file upload paths#2218
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/application-security-review-b8cd

Conversation

@cursor
Copy link
Copy Markdown

@cursor cursor Bot commented May 18, 2026

Description

Fixes a medium severity path-traversal risk in UploadUtils.uploadFiles when uploads use MultipartFile.fromPath with a path value that may come from partially trusted data (for example API JSON evaluated into FileUploadAction file descriptors, including background Workmanager uploads).

Related Issue

Scheduled application security review (no tracked issue).

Type of Change

  • Bug fix (non-breaking change that fixes an issue)

Vulnerability summary

  • Who the attacker is: A party that can influence the path field on upload File objects consumed by FileUploadAction / UploadUtils.uploadFiles (e.g. a compromised or malicious API response bound into the action, or other app logic that forwards untrusted paths).
  • Controlled input: Local filesystem path strings containing .. path segments (after normalising \ to /).
  • Reachability: upload_files_action.dart evaluates files via DataContext.eval, builds File instances (including path from maps), and calls UploadUtils.uploadFiles. Background uploads deserialize the same structure in ensemble_app.dart and call UploadUtils.uploadFiles.
  • Impact: The runtime could be tricked into reading and exfiltrating files outside the path the app author assumed, by escaping with .. segments before the final read used for multipart construction.
  • Why medium: Confidentiality impact (unauthorised file read leading to upload) with a realistic path when app YAML binds file paths to data that is not fully trusted; not remote code execution by itself.
  • Remediation: Reject any upload path whose segments include .. before MultipartFile.fromPath.

What Has Changed

  • Added uploadPathContainsParentSegment in modules/ensemble/lib/util/upload_utils.dart and enforced it in the upload loop.
  • Added modules/ensemble/test/upload_path_security_test.dart.

How to Test

  1. cd modules/ensemble && flutter test test/upload_path_security_test.dart
  2. Manual: configure a FileUploadAction whose files resolves to a map with path containing ../; confirm upload fails with FormatException and no multipart read occurs for that path.

Screenshots / Videos

N/A

Checklist

  • I have run flutter analyze and addressed any new warnings
  • I have run flutter test and all tests pass
  • I have tested my changes on the relevant platform(s)
  • I have updated documentation if needed
  • My changes do not introduce new warnings or errors

Note: CI Flutter SDK was not available in the automation sandbox; please run flutter test / flutter analyze locally for the checklist items.

Open in Web View Automation 

@cursoragent @sharjeelyunus
security(upload): reject file paths with .. segments in multipart upl…
e193148 
…oads

Block path-traversal in local paths passed to MultipartFile.fromPath when
paths may come from partially trusted bindings (e.g. API JSON in
FileUploadAction). Add unit tests for the path guard.

Co-authored-by: Sharjeel Yunus <sharjeelyunus@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cursoragent