gRPC path validation during backups to the file system (#32782)

stanislav-shchetinin · CyberROFL · web-flow · commit df19aba6ca0d · 2026-02-03T13:45:52.000+03:00
Co-authored-by: Ilnaz Nizametdinov &lt;i.nizametdinov@gmail.com&gt;
diff --git a/ydb/core/grpc_services/fs_path_validation.cpp b/ydb/core/grpc_services/fs_path_validation.cpp
@@ -0,0 +1,49 @@
+#include "fs_path_validation.h"
+
+#include <util/string/builder.h>
+#include <util/folder/pathsplit.h>
+
+namespace NKikimr::NGRpcService {
+
+namespace {
+
+bool ValidatePathComponents(const TString& path, const TString& pathDescription, TString& error) {
+    for (const auto& component : TPathSplit(path)) {
+        if (component == "..") {
+            error = TStringBuilder() << pathDescription << " contains path traversal sequence (..)";
+            return false;
+        }
+
+        if (component == ".") {
+            error = TStringBuilder() << pathDescription << " contains current directory reference (.)";
+            return false;
+        }
+    }
+    return true;
+}
+
+} // anonymous namespace
+
+bool ValidateFsPath(const TString& path, const TString& pathDescription, TString& error) {
+    if (path.empty()) {
+        return true;
+    }
+
+    // Check for null bytes
+    if (path.find('\0') != TString::npos) {
+        error = TStringBuilder() << pathDescription << " contains null byte";
+        return false;
+    }
+
+#ifndef _win_
+    if (path.Contains('\\')) {
+        error = TStringBuilder() << pathDescription
+            << " contains invalid path separator backslash (\\)";
+        return false;
+    }
+#endif
+
+    return ValidatePathComponents(path, pathDescription, error);
+}
+
+} // namespace NKikimr::NGRpcService
diff --git a/ydb/core/grpc_services/fs_path_validation.h b/ydb/core/grpc_services/fs_path_validation.h
@@ -0,0 +1,23 @@
+#pragma once
+
+#include <util/generic/string.h>
+
+namespace NKikimr::NGRpcService {
+
+/**
+ * Validates filesystem path for security vulnerabilities using current platform conventions.
+ *
+ * Platform-aware validation
+ * Checks for:
+ * - Null bytes
+ * - Path traversal sequences (..)
+ * - Current directory references (.)
+ *
+ * @param path The path to validate
+ * @param pathDescription Human-readable description of the path (for error messages)
+ * @param error Output parameter for error message if validation fails
+ * @return true if path is valid, false otherwise
+ */
+bool ValidateFsPath(const TString& path, const TString& pathDescription, TString& error);
+
+} // namespace NKikimr::NGRpcService
diff --git a/ydb/core/grpc_services/rpc_export.cpp b/ydb/core/grpc_services/rpc_export.cpp
@@ -3,6 +3,7 @@
 #include "rpc_export_base.h"
 #include "rpc_calls.h"
 #include "rpc_operation_request_base.h"
+#include "fs_path_validation.h"
 
 #include <ydb/public/api/protos/ydb_export.pb.h>
 #include <ydb/core/backup/common/encryption.h>
@@ -13,9 +14,15 @@
 
 #include <ydb/library/actors/core/hfunc.h>
 
+#include <util/folder/path.h>
 #include <util/generic/ptr.h>
 #include <util/string/builder.h>
 
+#ifdef _linux_
+#include <sys/vfs.h>
+#include <linux/magic.h>
+#endif
+
 namespace NKikimr {
 namespace NGRpcService {
 
@@ -569,10 +576,34 @@ class TExportRPC: public TRpcOperationRequestActor<TDerived, TEvRequest, true>,
         }
 
         if constexpr (IsFsExport) {
-            if (!settings.base_path().StartsWith("/")) {
+            if (!TFsPath(settings.base_path()).IsAbsolute()) {
                 return this->Reply(StatusIds::BAD_REQUEST, TIssuesIds::DEFAULT_ERROR,
                     "base_path must be an absolute path");
             }
+
+#ifdef _linux_
+            struct statfs fsInfo;
+            if (statfs(settings.base_path().c_str(), &fsInfo) == 0) {
+                if (fsInfo.f_type != NFS_SUPER_MAGIC) {
+                    return this->Reply(StatusIds::BAD_REQUEST, TIssuesIds::DEFAULT_ERROR,
+                        "base_path must be on NFS filesystem");
+                }
+            }
+#endif
+
+            TString error;
+            if (!ValidateFsPath(settings.base_path(), "base_path", error)) {
+                return this->Reply(StatusIds::BAD_REQUEST, TIssuesIds::DEFAULT_ERROR, error);
+            }
+
+            for (const auto& item : TTraits::GetItems(settings)) {
+                if (!TTraits::GetDestination(item).empty()) {
+                    const auto pathDesc = TStringBuilder() << "destination_path for item \"" << item.source_path() << "\"";
+                    if (!ValidateFsPath(TTraits::GetDestination(item), pathDesc, error)) {
+                        return this->Reply(StatusIds::BAD_REQUEST, TIssuesIds::DEFAULT_ERROR, error);
+                    }
+                }
+            }
         }
 
         if constexpr (!TTraits::HasSourcePath) {
diff --git a/ydb/core/grpc_services/rpc_import.cpp b/ydb/core/grpc_services/rpc_import.cpp
@@ -3,6 +3,7 @@
 #include "rpc_import_base.h"
 #include "rpc_calls.h"
 #include "rpc_operation_request_base.h"
+#include "fs_path_validation.h"
 
 #include <ydb/public/api/protos/ydb_import.pb.h>
 
@@ -13,9 +14,15 @@
 
 #include <library/cpp/regex/pcre/regexp.h>
 
+#include <util/folder/path.h>
 #include <util/generic/ptr.h>
 #include <util/string/builder.h>
 
+#ifdef _linux_
+#include <sys/vfs.h>
+#include <linux/magic.h>
+#endif
+
 namespace NKikimr {
 namespace NGRpcService {
 
@@ -137,14 +144,37 @@ class TImportRPC: public TRpcOperationRequestActor<TDerived, TEvRequest, true>,
         }
 
         if constexpr (IsFsImport) {
-            if (!settings.base_path().StartsWith("/")) {
+            if (!TFsPath(settings.base_path()).IsAbsolute()) {
                 return this->Reply(StatusIds::BAD_REQUEST, TIssuesIds::DEFAULT_ERROR,
                     "base_path must be an absolute path");
             }
+
+#ifdef _linux_
+            struct statfs fsInfo;
+            if (statfs(settings.base_path().c_str(), &fsInfo) == 0) {
+                if (fsInfo.f_type != NFS_SUPER_MAGIC) {
+                    return this->Reply(StatusIds::BAD_REQUEST, TIssuesIds::DEFAULT_ERROR,
+                        "base_path must be on NFS filesystem");
+                }
+            }
+#endif
+
+            TString error;
+            if (!ValidateFsPath(settings.base_path(), "base_path", error)) {
+                return this->Reply(StatusIds::BAD_REQUEST, TIssuesIds::DEFAULT_ERROR, error);
+            }
+
             for (const auto& item : settings.items()) {
                 if (item.destination_path().empty() && item.source_path().empty()) {
                     return this->Reply(StatusIds::BAD_REQUEST, TIssuesIds::DEFAULT_ERROR, "Empty item is not allowed");
                 }
+
+                if (!item.source_path().empty()) {
+                    const auto pathDesc = TStringBuilder() << "source_path for item to \"" << item.destination_path() << "\"";
+                    if (!ValidateFsPath(item.source_path(), pathDesc, error)) {
+                        return this->Reply(StatusIds::BAD_REQUEST, TIssuesIds::DEFAULT_ERROR, error);
+                    }
+                }
             }
         }
 
diff --git a/ydb/core/grpc_services/ya.make b/ydb/core/grpc_services/ya.make
@@ -9,6 +9,7 @@ SRCS(
     audit_log.cpp
     audit_logins.cpp
     db_metadata_cache.h
+    fs_path_validation.cpp
     grpc_endpoint_publish_actor.cpp
     grpc_helper.cpp
     grpc_mon.cpp
diff --git a/ydb/services/ydb/backup_ut/fs_backup_validation_ut.cpp b/ydb/services/ydb/backup_ut/fs_backup_validation_ut.cpp
diff --git a/ydb/services/ydb/backup_ut/ya.make b/ydb/services/ydb/backup_ut/ya.make
