Skip to content

DIAL Core API accepts folder creation requests with restricted symbols and path traversal sequences, enabling security vulnerabilities #1357

New issue
New issue
Closed
Closed
DIAL Core API accepts folder creation requests with restricted symbols and path traversal sequences, enabling security vulnerabilities#1357
Assignees
astsiapanay
Labels
_priority_1bugSomething isn't working
@nartovm

Description

@nartovm
nartovm
opened on Feb 16, 2026

Name and Version

0.43.0-rc

Description

The DIAL Core Files API (/api/files/*) lacks input validation for folder path creation, accepting requests containing:

  1. Restricted filesystem characters (;, %, special symbols)
  2. Path traversal sequences (../../)

The folder creation endpoint does not validate path components before accepting requests.

Confirmed vulnerabilities

  1. Path traversal acceptance The API accepts relative path sequences in folder names:
  • Pattern tested: /../../folderName
  • Result: Request accepted (HTTP 200)
  • Risk: Attackers can potentially escape designated storage boundaries and create/modify files outside authorized directories
  1. Unrestricted special characters POST requests containing filesystem-unsafe characters are accepted without validation:
    Example request path:
/api/files/{bucket}/ж/%;/.sh/.dial_folder

(Contains Cyrillic character ж, semicolon ;, percent %, and shell extension .sh)
Response: HTTP 200 (success)
Risk:

  • Command injection if paths are used in shell operations
  • Filesystem corruption on Windows (reserved characters: | ? * < >)
  • Cross-platform compatibility failures
  1. Missing character set validation The API accepts mixed character encodings without normalization, enabling:
  • UTF-8 encoding exploits
  • Bypassing client-side filters through character substitution

Reproduction steps

  1. Send POST request to folder creation endpoint:
  2. POST /api/files/{bucket}/ж/%;/.sh/.dial_folder
  3. Observe HTTP 200 response
  4. Verify folder metadata file created with unrestricted path

Expected behavior

The API should:

  1. Validate all path components against a restricted character allowlist
  2. Reject path traversal sequences (../, ..\, URL-encoded variants)
  3. Normalize Unicode characters (NFC/NFD) and reject mixed scripts
  4. Return HTTP 400 with descriptive error for invalid requests
  5. Apply consistent validation across all folder/file operation endpoints

Notes This ticket addresses Core API validation only. Client-side handling of malformed responses from Core will be tracked separately.

Metadata

Metadata

Assignees

Labels

_priority_1bugSomething isn't working

Type

No type

Projects

AI DIAL

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions