SubFileSystem fails to confine operations to its declared sub path when the input path is /../ (or equivalents /../, /..\\). This path passes all validation but resolves to the root of the parent filesystem, allowing directory level operations outside the intended boundary.
Zio.UPath.ValidateAndNormalize
Zio.FileSystems.SubFileSystem
UPath.ValidateAndNormalize has a trailing slash optimisation.
if (!processParts && i + 1 == path.Length)
return path.Substring(0, path.Length - 1);
When the input ends with / or \, and processParts is still false, the function strips the trailing separator and returns immediately before the .. resolution logic runs. The input /../ triggers this path: the trailing / is the last character, processParts has not been set (because .. as the first relative segment after root is specifically exempted), so the function returns /.. with the .. segment unresolved.
The resulting UPath with FullName = "/.." is absolute, contains no control characters, and no colon so it passes FileSystem.ValidatePath without rejection.
When this path reaches SubFileSystem.ConvertPathToDelegate:
protected override UPath ConvertPathToDelegate(UPath path)
{
var safePath = path.ToRelative(); // "/..".ToRelative() = ".."
return SubPath / safePath; // "/jail" / ".." = "/" (resolved by Combine)
}
The delegate filesystem receives / (the root) instead of a path under /jail.
using Zio;
using Zio.FileSystems;
var root = new MemoryFileSystem();
root.CreateDirectory("/sandbox");
var sub = new SubFileSystem(root, "/sandbox");
Console.WriteLine(sub.DirectoryExists("/../")); // True (sees parent root)
Console.WriteLine(sub.ConvertPathToInternal("/../")); // "/" (parent root path)
The escape is limited to directory level operations because appending a filename after .. (e.g.,...
0.22.2Exploitability
AV:LAC:LPR:LUI:NScope
S:CImpact
C:LI:NA:N3.8/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N