Skip to content

🛡️ Sentinel: [HIGH] Fix Windows reserved names bypass with multiple extensions#8

Open
spf13 wants to merge 1 commit intomainfrom
sentinel-fix-reserved-names-6072392955780950952
Open

🛡️ Sentinel: [HIGH] Fix Windows reserved names bypass with multiple extensions#8
spf13 wants to merge 1 commit intomainfrom
sentinel-fix-reserved-names-6072392955780950952

Conversation

@spf13
Copy link
Owner

@spf13 spf13 commented Mar 15, 2026

🚨 Severity: HIGH
💡 Vulnerability: Windows reserved device names (e.g., CON, PRN) could bypass sanitization if the filename had multiple extensions (e.g., CON.tar.gz). filepath.Ext() only extracts the last extension (.gz), leaving the base name as CON.tar, which fails the exact match against the reserved names list (CON). However, Windows still treats CON.tar.gz as the CON device.
🎯 Impact: Attackers could craft filenames with multiple extensions that bypass the intended security restrictions, potentially leading to application instability, file write failures, or path traversal issues on Windows systems.
🔧 Fix: Modified filenameWithoutExtension to split at the first dot instead of using filepath.Ext(). This ensures the true base name is isolated. Updated removeReservedWithExtension to securely re-append all subsequent characters after sanitizing the base name. Added a security comment explaining the rationale.
✅ Verification: Run go test ./... to verify that the newly added test case {"reserved with multiple extensions", "CON.tar.gz", "CON_.tar.gz"} passes and all existing behavior remains intact.

PR created automatically by Jules for task 6072392955780950952 started by @spf13

@google-labs-jules @spf13
🛡️ Sentinel: [HIGH] Fix Windows reserved names bypass with multiple e…
d645714 
…xtensions

- Modified `filenameWithoutExtension` to split the filename at the first dot rather than using `filepath.Ext()`.
- Added a security comment explaining that `CON.tar.gz` bypasses exact match checks if only the last extension (`.gz`) is stripped.
- Updated `removeReservedWithExtension` to correctly reconstruct the filename with all its original extensions after sanitizing the true base name.
- Added a unit test for `"CON.tar.gz"`.

Co-authored-by: spf13 <173412+spf13@users.noreply.github.com>
@google-labs-jules
Copy link

google-labs-jules bot commented Mar 15, 2026

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@spf13