fix(core): path traversal guard

kestra-io · Jan 3, 2025 · f1a2c64 · f1a2c64
1 parent 33e01ff
commit f1a2c64
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/core/src/main/java/io/kestra/core/storages/StorageInterface.java b/core/src/main/java/io/kestra/core/storages/StorageInterface.java
@@ -105,7 +105,7 @@ default URI from(Execution execution, String input, File file) throws IOExceptio
      * Throws an IllegalArgumentException if the URI is not absolute: a.k.a., if it contains <code>".." + File.separator</code>.
      */
     default void parentTraversalGuard(URI uri) {
-        if (uri != null && uri.toString().contains(".." + File.separator)) {
+        if (uri != null && (uri.toString().contains(".." + File.separator) || uri.toString().contains(File.separator + "..") || uri.toString().equals(".."))) {
             throw new IllegalArgumentException("File should be accessed with their full path and not using relative '..' path.");
         }
     }