feat: implement secure path validation for downloadManyFiles#2
Open
thiyaguk09 wants to merge 7092 commits intomainfrom
Open
feat: implement secure path validation for downloadManyFiles#2thiyaguk09 wants to merge 7092 commits intomainfrom
thiyaguk09 wants to merge 7092 commits intomainfrom
Conversation
Owner
thiyaguk09
commented
Mar 6, 2026
thiyaguk09
commented
- Adds protection against path traversal (../) using normalized path resolution.
- Prevents Windows-style drive letter injection while allowing GCS timestamps.
- Implements directory jail logic to ensure absolute-style paths are relative to destination.
- Preserves backward compatibility by returning an augmented DownloadResponse array.
- Automates recursive directory creation for validated nested files.
- Adds comprehensive 13-scenario test suite for edge-case parity.
Co-authored-by: sofisl <55454395+sofisl@users.noreply.github.com>
) This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [@types/yargs](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/yargs) ([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/yargs)) | [`^17.0.33` -> `^17.0.34`](https://renovatebot.com/diffs/npm/@types%2fyargs/17.0.33/17.0.34) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/googleapis/gapic-generator-typescript). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNTYuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE1Ni4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
…eapis#1882) This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [gapic-node-processing](https://redirect.github.com/googleapis/google-cloud-node) ([source](https://redirect.github.com/googleapis/google-cloud-node/tree/HEAD/packages/gapic-node-processing)) | [`^0.1.5` -> `^0.1.6`](https://renovatebot.com/diffs/npm/gapic-node-processing/0.1.5/0.1.6) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>googleapis/google-cloud-node (gapic-node-processing)</summary> ### [`v0.1.6`](https://redirect.github.com/googleapis/google-cloud-node/blob/HEAD/packages/gapic-node-processing/CHANGELOG.md#016-2025-10-24) [Compare Source](https://redirect.github.com/googleapis/google-cloud-node/compare/gapic-node-processing-v0.1.5...gapic-node-processing-v0.1.6) ##### Bug Fixes - Bug in system test deletion logic ([#​6845](https://redirect.github.com/googleapis/google-cloud-node/issues/6845)) ([468c233](https://redirect.github.com/googleapis/google-cloud-node/commit/468c23374a64c1dbdbfb52707d43169fc8fda2dc)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/googleapis/gapic-generator-typescript). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNTYuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE1Ni4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
chore: migrate code from googleapis/gax-nodejs
…pescript-migration
Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
* feat: Mark Vector Search v1 API as GA feat: Add support for ExportDataObjects PiperOrigin-RevId: 882214457 Source-Link: googleapis/googleapis@19890a0 Source-Link: https://github.com/googleapis/googleapis-gen/commit/9c6045bda714b7f4abf5227391def8c67ae12a98 Copy-Tag: eyJwIjoicGFja2FnZXMvZ29vZ2xlLWNsb3VkLXZlY3RvcnNlYXJjaC8uT3dsQm90LnlhbWwiLCJoIjoiOWM2MDQ1YmRhNzE0YjdmNGFiZjUyMjczOTFkZWY4YzY3YWUxMmE5OCJ9 * 🦉 Updates from OwlBot post-processor See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md --------- Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com> Co-authored-by: Santiago Quiroga <22756465+quirogas@users.noreply.github.com> Co-authored-by: Gabe Pearhill <86282859+pearigee@users.noreply.github.com>
…tifies a Navigation Point obtained from the `SearchDestinations` method of the Geocoding API (googleapis#7531) * feat: add a new Waypoint source to accept a token that identifies a Navigation Point obtained from the `SearchDestinations` method of the Geocoding API docs: regenerated documentation for fields PiperOrigin-RevId: 879699007 Source-Link: googleapis/googleapis@67b1168 Source-Link: https://github.com/googleapis/googleapis-gen/commit/3a6dbf11bc9963b66dae1d057e35a027ea9a6827 Copy-Tag: eyJwIjoicGFja2FnZXMvZ29vZ2xlLW1hcHMtcm91dGluZy8uT3dsQm90LnlhbWwiLCJoIjoiM2E2ZGJmMTFiYzk5NjNiNjZkYWUxZDA1N2UzNWEwMjdlYTlhNjgyNyJ9 * 🦉 Updates from OwlBot post-processor See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md --------- Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com> Co-authored-by: Santiago Quiroga <22756465+quirogas@users.noreply.github.com> Co-authored-by: Gabe Pearhill <86282859+pearigee@users.noreply.github.com>
feat(firestore): global option to turn on implicit orderby
Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
Co-authored-by: Gabe Pearhill <86282859+pearigee@users.noreply.github.com>
Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) from 5.5.6 to 5.5.7. - [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases) - [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md) - [Commits](NaturalIntelligence/fast-xml-parser@v5.5.6...v5.5.7) --- updated-dependencies: - dependency-name: fast-xml-parser dependency-version: 5.5.7 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* feat: add more values in DestintionEnum docs: A comment for message `DestintionEnum` is changed PiperOrigin-RevId: 881702559 Source-Link: googleapis/googleapis@6df3ecf Source-Link: https://github.com/googleapis/googleapis-gen/commit/9a590a89559b6a6d75c750064fe7c12fb35b9403 Copy-Tag: eyJwIjoicGFja2FnZXMvZ29vZ2xlLXNob3BwaW5nLWNzcy8uT3dsQm90LnlhbWwiLCJoIjoiOWE1OTBhODk1NTliNmE2ZDc1Yzc1MDA2NGZlN2MxMmZiMzViOTQwMyJ9 Copy-Tag: eyJwIjoicGFja2FnZXMvZ29vZ2xlLXNob3BwaW5nLW1lcmNoYW50LWFjY291bnRzLy5Pd2xCb3QueWFtbCIsImgiOiI5YTU5MGE4OTU1OWI2YTZkNzVjNzUwMDY0ZmU3YzEyZmIzNWI5NDAzIn0= Copy-Tag: eyJwIjoicGFja2FnZXMvZ29vZ2xlLXNob3BwaW5nLW1lcmNoYW50LWRhdGFzb3VyY2VzLy5Pd2xCb3QueWFtbCIsImgiOiI5YTU5MGE4OTU1OWI2YTZkNzVjNzUwMDY0ZmU3YzEyZmIzNWI5NDAzIn0= Copy-Tag: eyJwIjoicGFja2FnZXMvZ29vZ2xlLXNob3BwaW5nLW1lcmNoYW50LWludmVudG9yaWVzLy5Pd2xCb3QueWFtbCIsImgiOiI5YTU5MGE4OTU1OWI2YTZkNzVjNzUwMDY0ZmU3YzEyZmIzNWI5NDAzIn0= Copy-Tag: eyJwIjoicGFja2FnZXMvZ29vZ2xlLXNob3BwaW5nLW1lcmNoYW50LWlzc3VlcmVzb2x1dGlvbi8uT3dsQm90LnlhbWwiLCJoIjoiOWE1OTBhODk1NTliNmE2ZDc1Yzc1MDA2NGZlN2MxMmZiMzViOTQwMyJ9 Copy-Tag: eyJwIjoicGFja2FnZXMvZ29vZ2xlLXNob3BwaW5nLW1lcmNoYW50LWxmcC8uT3dsQm90LnlhbWwiLCJoIjoiOWE1OTBhODk1NTliNmE2ZDc1Yzc1MDA2NGZlN2MxMmZiMzViOTQwMyJ9 Copy-Tag: eyJwIjoicGFja2FnZXMvZ29vZ2xlLXNob3BwaW5nLW1lcmNoYW50LW5vdGlmaWNhdGlvbnMvLk93bEJvdC55YW1sIiwiaCI6IjlhNTkwYTg5NTU5YjZhNmQ3NWM3NTAwNjRmZTdjMTJmYjM1Yjk0MDMifQ== Copy-Tag: eyJwIjoicGFja2FnZXMvZ29vZ2xlLXNob3BwaW5nLW1lcmNoYW50LW9yZGVydHJhY2tpbmcvLk93bEJvdC55YW1sIiwiaCI6IjlhNTkwYTg5NTU5YjZhNmQ3NWM3NTAwNjRmZTdjMTJmYjM1Yjk0MDMifQ== Copy-Tag: eyJwIjoicGFja2FnZXMvZ29vZ2xlLXNob3BwaW5nLW1lcmNoYW50LXByb2R1Y3RzLy5Pd2xCb3QueWFtbCIsImgiOiI5YTU5MGE4OTU1OWI2YTZkNzVjNzUwMDY0ZmU3YzEyZmIzNWI5NDAzIn0= Copy-Tag: eyJwIjoicGFja2FnZXMvZ29vZ2xlLXNob3BwaW5nLW1lcmNoYW50LXByb21vdGlvbnMvLk93bEJvdC55YW1sIiwiaCI6IjlhNTkwYTg5NTU5YjZhNmQ3NWM3NTAwNjRmZTdjMTJmYjM1Yjk0MDMifQ== Copy-Tag: eyJwIjoicGFja2FnZXMvZ29vZ2xlLXNob3BwaW5nLW1lcmNoYW50LXJlcG9ydHMvLk93bEJvdC55YW1sIiwiaCI6IjlhNTkwYTg5NTU5YjZhNmQ3NWM3NTAwNjRmZTdjMTJmYjM1Yjk0MDMifQ== Copy-Tag: eyJwIjoicGFja2FnZXMvZ29vZ2xlLXNob3BwaW5nLW1lcmNoYW50LXJldmlld3MvLk93bEJvdC55YW1sIiwiaCI6IjlhNTkwYTg5NTU5YjZhNmQ3NWM3NTAwNjRmZTdjMTJmYjM1Yjk0MDMifQ== * 🦉 Updates from OwlBot post-processor See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md --------- Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com> Co-authored-by: Santiago Quiroga <22756465+quirogas@users.noreply.github.com> Co-authored-by: Gabe Pearhill <86282859+pearigee@users.noreply.github.com>
Bumps [flatted](https://github.com/WebReflection/flatted) from 3.3.3 to 3.4.2. - [Commits](WebReflection/flatted@v3.3.3...v3.4.2) --- updated-dependencies: - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…essage and field for PSV support (googleapis#7549) * feat: add `ParameterizedSecureViewParameters` message and field for PSV support feat: add `ThinkingMode` enum and field to control agent thinking mode docs: update field comments for `generated_looker_query` in `DataMessage` PiperOrigin-RevId: 881447800 Source-Link: googleapis/googleapis@b845741 Source-Link: https://github.com/googleapis/googleapis-gen/commit/e637d7d1cfb82c51fa37d75f29f94bb9296289fe Copy-Tag: eyJwIjoicGFja2FnZXMvZ29vZ2xlLWNsb3VkLWdlbWluaWRhdGFhbmFseXRpY3MvLk93bEJvdC55YW1sIiwiaCI6ImU2MzdkN2QxY2ZiODJjNTFmYTM3ZDc1ZjI5Zjk0YmI5Mjk2Mjg5ZmUifQ== * 🦉 Updates from OwlBot post-processor See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md * feat: add `ParameterizedSecureViewParameters` message and field for PSV support feat: add `ThinkingMode` enum and field to control agent thinking mode docs: update field comments for `generated_looker_query` in `DataMessage` PiperOrigin-RevId: 881451746 Source-Link: googleapis/googleapis@9807038 Source-Link: https://github.com/googleapis/googleapis-gen/commit/cd7cc9993d032012a2d132a7c6bffa804aa22457 Copy-Tag: eyJwIjoicGFja2FnZXMvZ29vZ2xlLWNsb3VkLWdlbWluaWRhdGFhbmFseXRpY3MvLk93bEJvdC55YW1sIiwiaCI6ImNkN2NjOTk5M2QwMzIwMTJhMmQxMzJhN2M2YmZmYTgwNGFhMjI0NTcifQ== * 🦉 Updates from OwlBot post-processor See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md --------- Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com> Co-authored-by: Santiago Quiroga <22756465+quirogas@users.noreply.github.com> Co-authored-by: Gabe Pearhill <86282859+pearigee@users.noreply.github.com>
…ked deprecated for WorkerPools API (googleapis#7834) * docs: An existing repeated string field custom_audiences is marked deprecated for WorkerPools API PiperOrigin-RevId: 886276550 Source-Link: googleapis/googleapis@c063f49 Source-Link: https://github.com/googleapis/googleapis-gen/commit/1adb05fe8457b4879dde688c26b0fe0aca565479 Copy-Tag: eyJwIjoicGFja2FnZXMvZ29vZ2xlLWNsb3VkLXJ1bi8uT3dsQm90LnlhbWwiLCJoIjoiMWFkYjA1ZmU4NDU3YjQ4NzlkZGU2ODhjMjZiMGZlMGFjYTU2NTQ3OSJ9 * 🦉 Updates from OwlBot post-processor See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md --------- Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
…e-migration migrate code from googleapis/nodejs-precise-date
Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
…rchService (googleapis#7837) * feat: Update DataStoreSpec and add BoostSpec to SearchService docs: Clarify project number requirement for data_store field PiperOrigin-RevId: 886697454 Source-Link: googleapis/googleapis@7439b69 Source-Link: https://github.com/googleapis/googleapis-gen/commit/17f9afd966a691437229858c95540b2aa95ac346 Copy-Tag: eyJwIjoicGFja2FnZXMvZ29vZ2xlLWNsb3VkLWRpc2NvdmVyeWVuZ2luZS8uT3dsQm90LnlhbWwiLCJoIjoiMTdmOWFmZDk2NmE2OTE0MzcyMjk4NThjOTU1NDBiMmFhOTVhYzM0NiJ9 * 🦉 Updates from OwlBot post-processor See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md --------- Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
fix(spanner): override gcp-metadata to resolve punycode deprecation
…INITIATED_SYSTEM_OPERATION Key Access Justification codes as deprecated in favor of GOOGLE_RESPONSE_TO_PRODUCTION_ALERT PiperOrigin-RevId: 853754070 Source-Link: googleapis/googleapis@f814267 Source-Link: googleapis/googleapis-gen@cccc9ca Copy-Tag: eyJwIjoiLmdpdGh1Yi8uT3dsQm90LnlhbWwiLCJoIjoiY2NjYzljYWM1MTdhODk0ZjZiMTJhMjQ2ZjI2MzNhZjAzMmU4YjVkOSJ9
…: Expose the `Database.mongodb_compatible_data_access_mode` parameter feat: Expose the `Database.realtime_updates_mode` parameter feat: Expose the `Index.unique` parameter docs: Update documentation on several parameters, especially when relating to the new `enterprise` database edition PiperOrigin-RevId: 865444806 Source-Link: googleapis/googleapis@760ef85 Source-Link: googleapis/googleapis-gen@49f01fb Copy-Tag: eyJwIjoiLmdpdGh1Yi8uT3dsQm90LnlhbWwiLCJoIjoiNDlmMDFmYjdjZjIxZDdhNzU4ZTNlMDNkZjk2NDlhNTJkYjgxZjVkOCJ9
…: Firestore.executePipeline to not retry on `RESOURCE_EXHAUSTED` PiperOrigin-RevId: 877535984 Source-Link: googleapis/googleapis@1ccd68a Source-Link: googleapis/googleapis-gen@eaf17cf Copy-Tag: eyJwIjoiLmdpdGh1Yi8uT3dsQm90LnlhbWwiLCJoIjoiZWFmMTdjZmMwMzcxOWVjY2RmYjdiMDc5ODlhMTk0NWVmMzQ4ODBmMiJ9
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.