{{ message }}
This repository was archived by the owner on Mar 31, 2026. It is now read-only.
fix(transfer_manager): Prevent path traversal in download_many_to_path#1768
Merged
Conversation
user provided destination_dir
product-auto-label
Bot
added
size: m
Contributor
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
The pull request introduces a Path object and a _resolve_path function to resolve the destination path for downloaded blobs in the download_many_to_path function, preventing path traversal vulnerabilities. The tests were updated to reflect the change in destination path. Review feedback indicates that the implementation of _resolve_path is incorrect for relative paths and will raise a ValueError when blob_path is a relative path. Also, the pathlib.Path.is_relative_to() method was introduced in Python 3.9, and since this library supports Python 3.7+, using this method will cause an AttributeError on Python versions 3.7 and 3.8. The traceback module is imported but never used in the file. The TODO comment should be replaced with a concrete example before merging. The docstring for destination_directory contains a TODO comment, a reference to the old os.path.join implementation, and a redundant parenthetical note. The expression Path(destination_directory).resolve() is evaluated on every iteration of the loop.
product-auto-label
Bot
added
size: l
chandra-siri
changed the title
chandra-siri
changed the title
download_many_to_path
chandra-siri
commented
Mar 10, 2026
krishnamd-jkp
approved these changes
Mar 11, 2026
chandra-siri
added a commit
that referenced
this pull request
Mar 18, 2026
PR created by the Librarian CLI to initialize a release. Merging this PR will auto trigger a release. Librarian Version: v1.0.2-0.20251119154421-36c3e21ad3ac Language Image: us-central1-docker.pkg.dev/cloud-sdk-librarian-prod/images-prod/python-librarian-generator@sha256:8e2c32496077054105bd06c54a59d6a6694287bc053588e24debe6da6920ad91 <details><summary>google-cloud-storage: 3.10.0</summary> ## [3.10.0](v3.9.0...v3.10.0) (2026-03-18) ### Features * [Bucket Encryption Enforcement] add support for bucket encryption enforcement config (#1742) ([2a6e8b0](2a6e8b0)) ### Perf Improvments * [Rapid Buckets Reads] Use raw proto access for read resumption strategy (#1764) ([14cfd61](14cfd61)) * [Rapid Buckets Benchmarks] init mp pool & grpc client once, use os.sched_setaffinity (#1751) ([a9eb82c](a9eb82c)) * [Rapid Buckets Writes] don't flush at every append, results in bad perf (#1746) ([ab62d72](ab62d72)) ### Bug Fixes * [Windows] skip downloading blobs whose name contain `":" ` eg: `C:` `D:` etc when application runs in Windows. (#1774) ([5581988](5581988)) * [Path Traversal] Prevent path traversal in `download_many_to_path` (#1768) ([700fec3](700fec3)) * [Rapid Buckets] pass token correctly, '&' instead of ',' (#1756) ([d8dd1e0](d8dd1e0)) </details>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fix(transfer_manager): Prevent path traversal in download_many_to_path
This PR addresses a security vulnerability where
download_many_to_pathcould be exploited to write files outside the intended destination directory.The fix ensures that the resolved path for each blob download remains within the bounds of the user-provided
destination_directory. If a blob name would result in a path outside this directory (e.g., by using../), a warning is issued, and that specific blob download is skipped. This prevents directory traversal attacks.Absolute paths in blob names (e.g.,
/etc/passwd) are now treated as relative to thedestination_directory, so/etc/passwdwill be downloaded todestination_directory/etc/passwd.See b/449616593 for more details.
BREAKING CHANGE: Blobs that would resolve to a path outside the
destination_directoryare no longer downloaded. While this is a security fix, users relying on the previous behavior to write files outside the target directory will see a change.