Skip to content

refactor(filesystem): clean up isValidPath() logic and update docs #57325

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
joshtrichards wants to merge 2 commits into
base: master
Choose a base branch
from
Open

refactor(filesystem): clean up isValidPath() logic and update docs #57325

joshtrichards wants to merge 2 commits into from
+17 −8

Conversation

@joshtrichards
Copy link
Member

@joshtrichards joshtrichards commented Jan 3, 2026

Summary

  • Optimizations/code cleanup:
    • Removes redundant checks; normalization already guarantees path is absolute
    • Replaces strrchr with str_ends_with
    • Adds parameter and return type hints (were already enforced via static analysis; should be safe)
  • Docs:
    • Note it's primary role as a security boundary for path validation and what specifically it handles

No functional change in logic: the production code path is just simpler and optimized.

TODO

  • ...

Checklist

@joshtrichards joshtrichards marked this pull request as ready for review January 4, 2026 01:56
@joshtrichards joshtrichards requested a review from a team as a code owner January 4, 2026 01:56
@joshtrichards joshtrichards requested review from Altahrim, leftybournes, salmart-dev and yemkareems and removed request for a team January 4, 2026 01:56
@joshtrichards joshtrichards added 3. to review Waiting for reviews feature: filesystem ♻️ refactor Refactor code (not a bug fix, not a feature just refactoring) technical debt labels Jan 4, 2026
susnux
susnux reviewed Jan 6, 2026
View reviewed changes
lib/private/Files/Filesystem.php
Comment on lines +395 to +403
* This method is the primary defense against directory traversal and
* path manipulation attacks. It ALWAYS normalizes the input (see {@see normalizePath}),
* converting slash and unicode variants to a canonical absolute path.
*
* After normalization, any path containing '/..' segments (traversal attempts) is rejected.
* Normalized paths like '//foo//bar' are allowed and become '/foo/bar'.
*
* @param string $path Untrusted or user-supplied path to check.
* @return bool True if the path is safe, false otherwise.
Copy link
Contributor

@susnux susnux Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The doc string is longer than the implementation of the the function, it literally describes the implementation.
IMHO this is not a good thing because docs are not always kept up to date and will differ from implementation and then it just confuses at some point.
Better to just state the intent of the method and make the code itself self explaining.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@susnux susnux susnux left review comments

@Altahrim Altahrim Altahrim approved these changes

@salmart-dev salmart-dev Awaiting requested review from salmart-dev salmart-dev is a code owner automatically assigned from nextcloud/server-backend

@yemkareems yemkareems Awaiting requested review from yemkareems yemkareems is a code owner automatically assigned from nextcloud/server-backend

@leftybournes leftybournes Awaiting requested review from leftybournes leftybournes is a code owner automatically assigned from nextcloud/server-backend

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

3. to review Waiting for reviews feature: filesystem ♻️ refactor Refactor code (not a bug fix, not a feature just refactoring) technical debt

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@joshtrichards @susnux @Altahrim