Resolve "[WebIDE] Folder name with special characters doesn't show its content in the UI"

Mohammed Osumahrequested to merge
431489-invalid-file-path into master

What does this MR do and why?

The check_allowed_absolute_path! function in the file path validator was rejecting valid customer directory names that contain literal percent-encoded characters like %2FSAP%2F. This prevented WebIDE users from accessing files in directories with these names.

Root Cause

Double URL Decoding Issue: When customers have directories literally named %2FSAP%2F (with actual percent signs):

  1. The path comes in as %2FSAP%2F (the actual directory name)
  2. check_path_traversal! decodes it to /SAP/
  3. check_allowed_absolute_path! receives the decoded path /SAP/ and treats it as an absolute path
  4. The validation fails because /SAP/ appears absolute but isn't in the allowlist

Solution

Added an allow_initial_path_separator option to the file_path validator that:

  • Detects when encoded paths decode to absolute paths
  • Automatically adds the original encoded path to the allowlist
  • Only gets enabled in the Files API to maintain security for other use cases

Why This Is Safe

Targeted Scope:

  • Only affects the Files API (WebIDE use case)
  • All other APIs maintain existing security behaviour
  • No changes to core validation logic

Maintains All Security Checks:

  • Path traversal protection still works via check_path_traversal!(path)
  • Absolute path validation works correctly for other APIs

Correct Path Handling:

  • Allowlist properly matches literal directory names like %2FSAP%2F
  • No double-decoding that causes false absolute path detection
  • Preserves the actual directory name structure

Impact

  •  Fixes: Customer directories with literal names like %2FSAP%2F now work correctly in WebIDE
  •  Maintains Security: All existing security validations remain functional for other APIs
  •  Targeted Fix: Only affects Files API, no impact on other parts of GitLab

Testing

  • Added test coverage for the new allow_initial_path_separator option
  • Tests verify encoded separators work when enabled, blocked when disabled
  • Existing path traversal and security tests continue to pass

References

Backend Comment on Absolute Path Handling - Confirms that the backend already avoids invalid absolute paths, and the frontend validation was added as an optimization to reduce RPC calls by returning early

Screenshots or screen recordings

Before After
Screen Recording 2025-07-07 at 12.41.03 PM.mov Screen Recording 2025-07-07 at 12.42.57 PM.mov

How to set up and validate locally

  1. Checkout this branch
  2. Open open the web ide locally and create a directory with the name %2FSAP%2F and inside that folder create a file called test.txt inside this folder
  3. Commit the change and push it to your locally gdk
  4. Reload the web ide page and try to open that text file
  5. You should be able to access the content of the file without getting an error

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #431489 (closed)

Edited by Mohammed Osumah

Merge request reports