Skip to content

Security: Strengthen path traversal validation in PDF preview endpoint #503

@cbcoutinho

Description

@cbcoutinho

Problem

The path traversal check in visualization.py:709 only checks for ".." in the file path:

if ".." in file_path:
    return JSONResponse({"success": False, "error": "Invalid file path"}, status_code=400)

This can be bypassed with:

  • URL encoding (e.g., %2e%2e)
  • Double encoding
  • Unicode variations

While WebDAV may normalize paths, defense-in-depth is important.

Recommendation

Use Python's pathlib to resolve and validate paths:

from pathlib import Path

# Normalize and check for traversal
try:
    # Remove leading slash for Path() to work correctly
    normalized_path = Path(file_path.lstrip('/'))
    # Check if '..' appears in any path components after normalization
    if '..' in normalized_path.parts:
        return JSONResponse({"success": False, "error": "Invalid file path"}, status_code=400)
except (ValueError, OSError):
    return JSONResponse({"success": False, "error": "Invalid file path"}, status_code=400)

Location

  • nextcloud_mcp_server/api/visualization.py:709

Priority

Critical - Security issue, must fix before merge

Parent Issue

Part of #502

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions