[Security] Path validation bypass on Windows via NTFS Alternate Data Streams (ADS) in secure-filesystem-server#4523
Open
andreiminca wants to merge 1 commit into
Open
Conversation
A path validation bypass vulnerability has been identified on Windows environments within the secure-filesystem-server. The isPathWithinAllowedDirectories function fails to restrict NTFS Alternate Data Streams (ADS). As a result, an attacker can supply paths containing a colon separator (e.g., file.txt:payload.exe), which bypasses directory boundary checks and allows reading or writing hidden data directly to NTFS alternate streams within allowed folders
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
A path validation bypass vulnerability has been identified on Windows environments within the secure-filesystem-server. The isPathWithinAllowedDirectories function fails to restrict NTFS Alternate Data Streams (ADS). As a result, an attacker can supply paths containing a colon separator (e.g., file.txt:payload.exe), which bypasses directory boundary checks and allows reading or writing hidden data directly to NTFS alternate streams within allowed folders
Description
This change introduces validation to reject paths containing NTFS Alternate Data Streams (ADS) on Windows platforms. It inspects the normalized path in
isPathWithinAllowedDirectoriesand blocks paths that contain unexpected colons (:) beyond the standard Windows drive letter prefix (e.g.,C:).Publishing Your Server
Note: We are no longer accepting PRs to add servers to the README. Instead, please publish your server to the MCP Server Registry to make it discoverable to the MCP ecosystem.
To publish your server, follow the quickstart guide. You can browse published servers at https://registry.modelcontextprotocol.io/.
Server Details
Motivation and Context
On Windows machines using NTFS, files can have alternate data streams using the
filename:streamnamesyntax. The existing validation normalized the path and verified the directory prefix (e.g.,normalizedPath.startsWith(normalizedDir + path.sep)).However, since
path.resolveandpath.normalizeon Windows preserve the:separator, a path likeC:\allowed\dir\safe.txt:payload.exewould start with the allowed directory prefix and bypass validation. When used in file reads or writes, Node.js and Windows would access the alternate stream instead of a regular file. This fix solves this bypass by validating and rejecting any unexpected colons on Windows, while preserving full compatibility with Linux/Unix platforms where colons are valid characters in filenames.How Has This Been Tested?
Tested the function
isPathWithinAllowedDirectorieswith the following test cases:C:\allowed\dir\file.txt) -> AllowedC:\allowed\dir\file.txt:payload.exe) -> RejectedC:\allowed\dir\file.txt:stream1:stream2) -> Rejected/allowed/dir/file.txt:with:colons) -> Allowed (retaining compatibility)Breaking Changes
None. This is a non-breaking security fix.
Types of changes
Checklist
Additional context
The fix specifically isolates Windows platforms (
process.platform === 'win32' || path.sep === '\\') to prevent breaking compatibility on POSIX systems where colons are valid file system characters.