fix: Prevent path traversal in FileSystemFileStore

MikeAlhayek · Copilot · MikeAlhayek · commit 3a68fa5e1608 · 2026-03-28T07:05:54.000-07:00
Resolve CodeQL 'Uncontrolled data used in path expression' alerts
by validating that resolved file paths stay within the base directory.
Uses Path.GetFullPath() canonicalization and prefix check to block
directory traversal via ../ sequences in user-supplied file names.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/src/Startup/CrestApps.Mvc.Web/Services/FileSystemFileStore.cs b/src/Startup/CrestApps.Mvc.Web/Services/FileSystemFileStore.cs
@@ -6,13 +6,13 @@ public sealed class FileSystemFileStore
 
     public FileSystemFileStore(string basePath)
     {
-        _basePath = basePath;
-        Directory.CreateDirectory(basePath);
+        _basePath = Path.GetFullPath(basePath);
+        Directory.CreateDirectory(_basePath);
     }
 
     public async Task<string> SaveFileAsync(string fileName, Stream content)
     {
-        var filePath = Path.Combine(_basePath, fileName);
+        var filePath = GetSafePath(fileName);
         var directory = Path.GetDirectoryName(filePath);
         Directory.CreateDirectory(directory);
 
@@ -24,7 +24,7 @@ public async Task<string> SaveFileAsync(string fileName, Stream content)
 
     public Task<Stream> GetFileAsync(string fileName)
     {
-        var filePath = Path.Combine(_basePath, fileName);
+        var filePath = GetSafePath(fileName);
 
         if (!File.Exists(filePath))
         {
@@ -36,7 +36,7 @@ public Task<Stream> GetFileAsync(string fileName)
 
     public Task<bool> DeleteFileAsync(string fileName)
     {
-        var filePath = Path.Combine(_basePath, fileName);
+        var filePath = GetSafePath(fileName);
 
         if (File.Exists(filePath))
         {
@@ -46,4 +46,17 @@ public Task<bool> DeleteFileAsync(string fileName)
 
         return Task.FromResult(false);
     }
+
+    private string GetSafePath(string fileName)
+    {
+        var fullPath = Path.GetFullPath(Path.Combine(_basePath, fileName));
+
+        if (!fullPath.StartsWith(_basePath + Path.DirectorySeparatorChar, StringComparison.OrdinalIgnoreCase)
+            && !string.Equals(fullPath, _basePath, StringComparison.OrdinalIgnoreCase))
+        {
+            throw new ArgumentException("The file name contains an invalid path.");
+        }
+
+        return fullPath;
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -6,13 +6,13 @@ public sealed class FileSystemFileStore`
`6`	`6`
`7`	`7`	`public FileSystemFileStore(string basePath)`
`8`	`8`	`{`
`9`		`- _basePath = basePath;`
`10`		`- Directory.CreateDirectory(basePath);`
	`9`	`+ _basePath = Path.GetFullPath(basePath);`
	`10`	`+ Directory.CreateDirectory(_basePath);`
`11`	`11`	`}`
`12`	`12`
`13`	`13`	`public async Task<string> SaveFileAsync(string fileName, Stream content)`
`14`	`14`	`{`
`15`		`- var filePath = Path.Combine(_basePath, fileName);`
	`15`	`+ var filePath = GetSafePath(fileName);`
`16`	`16`	`var directory = Path.GetDirectoryName(filePath);`
`17`	`17`	`Directory.CreateDirectory(directory);`
`18`	`18`
`@@ -24,7 +24,7 @@ public async Task<string> SaveFileAsync(string fileName, Stream content)`
`24`	`24`
`25`	`25`	`public Task<Stream> GetFileAsync(string fileName)`
`26`	`26`	`{`
`27`		`- var filePath = Path.Combine(_basePath, fileName);`
	`27`	`+ var filePath = GetSafePath(fileName);`
`28`	`28`
`29`	`29`	`if (!File.Exists(filePath))`
`30`	`30`	`{`
`@@ -36,7 +36,7 @@ public Task<Stream> GetFileAsync(string fileName)`
`36`	`36`
`37`	`37`	`public Task<bool> DeleteFileAsync(string fileName)`
`38`	`38`	`{`
`39`		`- var filePath = Path.Combine(_basePath, fileName);`
	`39`	`+ var filePath = GetSafePath(fileName);`
`40`	`40`
`41`	`41`	`if (File.Exists(filePath))`
`42`	`42`	`{`
`@@ -46,4 +46,17 @@ public Task<bool> DeleteFileAsync(string fileName)`
`46`	`46`
`47`	`47`	`return Task.FromResult(false);`
`48`	`48`	`}`
	`49`	`+`
	`50`	`+ private string GetSafePath(string fileName)`
	`51`	`+ {`
	`52`	`+ var fullPath = Path.GetFullPath(Path.Combine(_basePath, fileName));`
	`53`	`+`
	`54`	`+ if (!fullPath.StartsWith(_basePath + Path.DirectorySeparatorChar, StringComparison.OrdinalIgnoreCase)`
	`55`	`+ && !string.Equals(fullPath, _basePath, StringComparison.OrdinalIgnoreCase))`
	`56`	`+ {`
	`57`	`+ throw new ArgumentException("The file name contains an invalid path.");`
	`58`	`+ }`
	`59`	`+`
	`60`	`+ return fullPath;`
	`61`	`+ }`
`49`	`62`	`}`