fix: Create credentials in folder (#1019)

timja · web-flow · commit e7532596f1fd · 2026-02-17T16:38:46.000Z
diff --git a/src/main/java/com/cloudbees/plugins/credentials/CredentialsStoreAction.java b/src/main/java/com/cloudbees/plugins/credentials/CredentialsStoreAction.java
@@ -586,7 +586,7 @@ public String getRelativePath() {
             }
             // Validate the relative path as a security hardening
             // There is no known attack vector here, but just in case as it does control what the form action is.
-            if (!relativePath.startsWith("/")) {
+            if (!(relativePath.startsWith("/") || relativePath.startsWith("../"))) {
                 return null;
             }
             // Prevent protocol-relative URLs

Original file line number	Diff line number	Diff line change
`@@ -586,7 +586,7 @@ public String getRelativePath() {`
`586`	`586`	`}`
`587`	`587`	`// Validate the relative path as a security hardening`
`588`	`588`	`// There is no known attack vector here, but just in case as it does control what the form action is.`
`589`		`- if (!relativePath.startsWith("/")) {`
	`589`	`+ if (!(relativePath.startsWith("/") \|\| relativePath.startsWith("../"))) {`
`590`	`590`	`return null;`
`591`	`591`	`}`
`592`	`592`	`// Prevent protocol-relative URLs`