PhysicalFileProvider allows access to files inside excluded directories

[rameel]

Description

The current implementation of PhysicalFileProvider checks exclusion filters only for the requested file or directory and ignores that this file or directory may be located inside the excluded directory (e.g., .hidden/data/config.json).

Reproduction Steps

[Test]
public void Sample()
{
    var root = Path.Combine(Path.GetTempPath(), Path.GetRandomFileName());
    var path = Path.Join(root, ".hidden/data/config.json");

    Directory.CreateDirectory(Path.GetDirectoryName(path)!);

    File.WriteAllText(path, "Hello World!");

    var provider = new PhysicalFileProvider(root, ExclusionFilters.Sensitive);
    var file = provider.GetFileInfo(".hidden/data/config.json");

    Assert.That(file.Exists, Is.False);
}

Expected behavior

The file .hidden/data/config.json should not be accessible when ExclusionFilters.Sensitive is applied.

Actual behavior

The file .hidden/data/config.json is accessible even with ExclusionFilters.Sensitive applied.

Regression?

No response

Known Workarounds

No response

Configuration

No response

Other information

No response

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/area-system-io
See info in area-owners.md if you want to be subscribed.

[jozkee]

This happens because GetFileInfo only checks the file or directory name, not the whole path. If we wanted to change it, we would have to check if any path component contains a dot prefix, the Hidden or the System file attributes.

runtime/src/libraries/Microsoft.Extensions.FileProviders.Physical/src/Internal/FileSystemInfoHelper.cs

Lines 18 to 21 in 34c3442

	else if (fileSystemInfo.Name.StartsWith(".", StringComparison.Ordinal) && (filters & ExclusionFilters.DotPrefixed) != 0)
	{
	return true;
	}

[jozkee]

Changing the behavior would be a breaking change. @rameel as a workaround, you could set FileAttributes.Hidden to config.json.

[rameel]

I encountered this issue while writing some tests. It seems like unexpected behavior, and there's no mention of it in the documentation. The behavior is also inconsistent, when enumerating DirectoryContents will skip this directory, but the files within it are still accessible through their direct path.

[rameel]

Could this be considered a security issue? It might be worth fixing, even if it results in a breaking change, since this behavior could be quite unexpected for some and doesn’t match the documentation.

Just a suggestion.

[jozkee]

Is not inconsistent, if you specify ".hidden/data" as subpath, you will get the config.json enumerated.

[Test]
public void Sample()
{
    var root = Path.Combine(Path.GetTempPath(), Path.GetRandomFileName());
    var path = Path.Join(root, ".hidden/data/config.json");

    Directory.CreateDirectory(Path.GetDirectoryName(path)!);

    File.WriteAllText(path, "Hello World!");

    var provider = new PhysicalFileProvider(root, ExclusionFilters.Sensitive);
    var file = provider.GetFileInfo(".hidden/data/config.json");

    // Assert.That(file.Exists, Is.False);

    IDirectoryContents contents = provider.GetDirectoryContents(".hidden/data");
    foreach (IFileInfo item in contents)
    {
        Console.WriteLine(item.Name);
        Console.WriteLine(item.Exists);  
    }
}

[jozkee]

I don't think this is a security issue, you can find this behavior on dir and ls too.

[Clockwork-Muse]

If by security issue you're trying to prevent directory traversal from a user-specified string, the better thing to do is whitelist the absolute/canonical paths/specific directories users are allowed to access, and allow them ownership of that entire directory (and everything that needs to be secure goes somewhere else). "Partially owned" directories are a problem regardless if the process owns the entire tree (as opposed to having access controlled by the OS).