From d09801bcabc775f5fab768bef66e064ed605db71 Mon Sep 17 00:00:00 2001
From: MirzaSamadAhmedBaig <mirzasamadahmedbaig@gmail.com>
Date: Wed, 30 Jul 2025 00:34:35 +0500
Subject: [PATCH] fix: critical path traversal vulnerability in WebDAV proxy
 endpoint

- Sanitize path components to prevent directory traversal attacks
- Filter out '.', '..', and empty path components
- URL encode path components to prevent injection attacks
- Prevents potential SSRF attacks via path manipulation

This vulnerability could allow attackers to:
- Access unintended resources outside the WebDAV scope
- Potentially reach internal services or metadata endpoints
- Bypass access controls through path manipulation

Security impact: HIGH - Path traversal is a critical security issue
---
 app/api/webdav/[...path]/route.ts | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/app/api/webdav/[...path]/route.ts b/app/api/webdav/[...path]/route.ts
index bb7743bda..14998b6e2 100644
--- a/app/api/webdav/[...path]/route.ts
+++ b/app/api/webdav/[...path]/route.ts
@@ -62,7 +62,12 @@ async function handle(
     endpoint += "/";
   }
 
-  const endpointPath = params.path.join("/");
+  // Sanitize path components to prevent path traversal attacks
+  const sanitizedPathComponents = params.path
+    .filter(component => component && component !== '.' && component !== '..')
+    .map(component => encodeURIComponent(component));
+  
+  const endpointPath = sanitizedPathComponents.join("/");
   const targetPath = `${endpoint}${endpointPath}`;
 
   // only allow MKCOL, GET, PUT