Linode Object Storage allows creation of ".." prefix for folders @linode/api-v4 Presigned URL

Hello team,

I was working in a custom CLI to work with Linode Object Storage when accidentally found out that I can create folders with `..` prefix when using @linode/api-v4 Presigned URL. I have an example where I created by mistake a object key with the following name `../cardinal-stack/LICENSE` and uploaded the content to the file as per printscreen:

<img width="1916" height="965" alt="Image" src="https://github.com/user-attachments/assets/abadfd1e-0b9b-4006-bc61-1e229f1b5b9f" />

Through the console I'm unable to delete the file

<img width="1263" height="542" alt="Image" src="https://github.com/user-attachments/assets/df860a71-9d42-4623-b317-7876f04a1327" />


Steps to reproduce the issue:

1 - Generate Presigned URL for object key https://api.linode.com/v4/object-storage/buckets/{region}/{bucket}/object-url
2 - Put file content through generated Presigned URL
3 - Access the file through the console and try to delete the file 

It raises security concerns are in 2 perspectives:
1 - Linode's side, not sure how is the architecture but It can allow injections of malicious file. 
2 - User's side, I cannot delete the content of my own so It raises security concerns as well.

Thanks,
OP


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Linode Object Storage allows creation of ".." prefix for folders @linode/api-v4 Presigned URL #13328

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Linode Object Storage allows creation of ".." prefix for folders @linode/api-v4 Presigned URL #13328

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions