Add Path Validation for DiskBasedResponseCache and DiskBasedResultStore (#7397)

* Add Path Validation for DiskBasedResponseCache and DiskBasedResultStore

* Refactor async test methods in PathValidationTests to use Task instead of void

* Update error message 'value' to 'parameter'

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Fix separator tests on Mac/Linux

* Update src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/CSharp/Utilities/PathValidation.cs

Co-authored-by: Shyam N <shyamnamboodiripad@users.noreply.github.com>

* Update src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/CSharp/Utilities/PathValidation.cs

Co-authored-by: Shyam N <shyamnamboodiripad@users.noreply.github.com>

* Improve root path check.

* Enhance EnsureWithinRoot method to handle directory separators for .NET Framework and add tests for UNC paths and edge cases

* Fix net standard builds

* Retrigger build

---------

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Shyam N <shyamnamboodiripad@users.noreply.github.com>

Author: 3 people

src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/CSharp/Storage/DiskBasedResponseCache.cs

@@ -13,6 +13,7 @@
 using System.Linq;
 using System.Threading;
 using System.Threading.Tasks;
+using Microsoft.Extensions.AI.Evaluation.Reporting.Utilities;
 using Microsoft.Extensions.Caching.Distributed;
 
 namespace Microsoft.Extensions.AI.Evaluation.Reporting.Storage;
@@ -37,13 +38,18 @@ internal DiskBasedResponseCache(
         Func<DateTime> provideDateTime,
         TimeSpan? timeToLiveForCacheEntries = null)
     {
+        PathValidation.ValidatePathSegment(scenarioName, nameof(scenarioName));
+        PathValidation.ValidatePathSegment(iterationName, nameof(iterationName));
+
         _scenarioName = scenarioName;
         _iterationName = iterationName;
 
         storageRootPath = Path.GetFullPath(storageRootPath);
         string cacheRootPath = GetCacheRootPath(storageRootPath);
 
-        _iterationPath = Path.Combine(cacheRootPath, scenarioName, iterationName);
+        _iterationPath = PathValidation.EnsureWithinRoot(
+            cacheRootPath,
+            Path.Combine(cacheRootPath, scenarioName, iterationName));
         _provideDateTime = provideDateTime;
         _timeToLiveForCacheEntries = timeToLiveForCacheEntries ?? Defaults.DefaultTimeToLiveForCacheEntries;
     }
@@ -289,7 +295,9 @@ private static string GetContentsFilePath(string keyPath)
 
     private (string keyPath, string entryFilePath, string contentsFilePath, bool filesExist) GetPaths(string key)
     {
-        string keyPath = Path.Combine(_iterationPath, key);
+        PathValidation.ValidatePathSegment(key, nameof(key));
+
+        string keyPath = PathValidation.EnsureWithinRoot(_iterationPath, Path.Combine(_iterationPath, key));
         string entryFilePath = GetEntryFilePath(keyPath);
         string contentsFilePath = GetContentsFilePath(keyPath);
 
@@ -316,4 +324,4 @@ private CacheEntry CreateEntry()
 
         return new CacheEntry(_scenarioName, _iterationName, creation, expiration);
     }
-}
+}

src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/CSharp/Storage/DiskBasedResultStore.cs

@@ -56,6 +56,9 @@ public async IAsyncEnumerable<ScenarioRunResult> ReadResultsAsync(
         string? iterationName = null,
         [EnumeratorCancellation] CancellationToken cancellationToken = default)
     {
+        PathValidation.ValidatePathSegment(executionName, nameof(executionName));
+        PathValidation.ValidatePathSegment(scenarioName, nameof(scenarioName));
+        PathValidation.ValidatePathSegment(iterationName, nameof(iterationName));
         IEnumerable<FileInfo> resultFiles =
             EnumerateResultFiles(executionName, scenarioName, iterationName, cancellationToken);
 
@@ -89,8 +92,14 @@ public async ValueTask WriteResultsAsync(
         {
             cancellationToken.ThrowIfCancellationRequested();
 
+            PathValidation.ValidatePathSegment(result.ExecutionName, nameof(result.ExecutionName));
+            PathValidation.ValidatePathSegment(result.ScenarioName, nameof(result.ScenarioName));
+            PathValidation.ValidatePathSegment(result.IterationName, nameof(result.IterationName));
+
             var resultDir =
-                new DirectoryInfo(Path.Combine(_resultsRootPath, result.ExecutionName, result.ScenarioName));
+                new DirectoryInfo(PathValidation.EnsureWithinRoot(
+                    _resultsRootPath,
+                    Path.Combine(_resultsRootPath, result.ExecutionName, result.ScenarioName)));
 
             resultDir.Create();
 
@@ -113,14 +122,21 @@ public ValueTask DeleteResultsAsync(
         string? iterationName = null,
         CancellationToken cancellationToken = default)
     {
+        PathValidation.ValidatePathSegment(executionName, nameof(executionName));
+        PathValidation.ValidatePathSegment(scenarioName, nameof(scenarioName));
+        PathValidation.ValidatePathSegment(iterationName, nameof(iterationName));
+
         if (executionName is null && scenarioName is null && iterationName is null)
         {
             Directory.Delete(_resultsRootPath, recursive: true);
             _ = Directory.CreateDirectory(_resultsRootPath);
         }
         else if (executionName is not null && scenarioName is null && iterationName is null)
         {
-            var executionDir = new DirectoryInfo(Path.Combine(_resultsRootPath, executionName));
+            var executionDir = new DirectoryInfo(
+                PathValidation.EnsureWithinRoot(
+                    _resultsRootPath,
+                    Path.Combine(_resultsRootPath, executionName)));
 
             if (executionDir.Exists)
             {
@@ -130,7 +146,10 @@ public ValueTask DeleteResultsAsync(
         else if (executionName is not null && scenarioName is not null && iterationName is null)
         {
             var scenarioDir =
-                new DirectoryInfo(Path.Combine(_resultsRootPath, executionName, scenarioName));
+                new DirectoryInfo(
+                    PathValidation.EnsureWithinRoot(
+                        _resultsRootPath,
+                        Path.Combine(_resultsRootPath, executionName, scenarioName)));
 
             if (scenarioDir.Exists)
             {
@@ -140,7 +159,10 @@ public ValueTask DeleteResultsAsync(
         else if (executionName is not null && scenarioName is not null && iterationName is not null)
         {
             var resultFile =
-                new FileInfo(Path.Combine(_resultsRootPath, executionName, scenarioName, $"{iterationName}.json"));
+                new FileInfo(
+                    PathValidation.EnsureWithinRoot(
+                        _resultsRootPath,
+                        Path.Combine(_resultsRootPath, executionName, scenarioName, $"{iterationName}.json")));
 
             if (resultFile.Exists)
             {
@@ -206,6 +228,8 @@ public async IAsyncEnumerable<string> GetScenarioNamesAsync(
         string executionName,
         [EnumeratorCancellation] CancellationToken cancellationToken = default)
     {
+        PathValidation.ValidatePathSegment(executionName, nameof(executionName));
+
         IEnumerable<DirectoryInfo> executionDirs = EnumerateExecutionDirs(executionName, cancellationToken);
 
         IEnumerable<DirectoryInfo> scenarioDirs =
@@ -225,6 +249,9 @@ public async IAsyncEnumerable<string> GetIterationNamesAsync(
         string scenarioName,
         [EnumeratorCancellation] CancellationToken cancellationToken = default)
     {
+        PathValidation.ValidatePathSegment(executionName, nameof(executionName));
+        PathValidation.ValidatePathSegment(scenarioName, nameof(scenarioName));
+
         IEnumerable<FileInfo> resultFiles =
             EnumerateResultFiles(executionName, scenarioName, cancellationToken: cancellationToken);
 
@@ -260,7 +287,10 @@ private IEnumerable<DirectoryInfo> EnumerateExecutionDirs(
         }
         else
         {
-            var executionDir = new DirectoryInfo(Path.Combine(_resultsRootPath, executionName));
+            var executionDir = new DirectoryInfo(
+                PathValidation.EnsureWithinRoot(
+                    _resultsRootPath,
+                    Path.Combine(_resultsRootPath, executionName)));
             if (executionDir.Exists)
             {
                 yield return executionDir;

src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/CSharp/Utilities/PathValidation.cs

@@ -0,0 +1,88 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System;
+using System.IO;
+using Microsoft.Shared.Diagnostics;
+
+#if NET
+using System.Runtime.InteropServices;
+#endif
+
+namespace Microsoft.Extensions.AI.Evaluation.Reporting.Utilities;
+
+internal static class PathValidation
+{
+    private static readonly char[] _invalidFileNameChars = Path.GetInvalidFileNameChars();
+
+#pragma warning disable CA1802 // Use literals where appropriate
+    private static readonly StringComparison _pathComparison =
+#if NET
+        // Windows paths are case-insensitive; Linux/macOS paths are case-sensitive.
+        RuntimeInformation.IsOSPlatform(OSPlatform.Windows)
+            ? StringComparison.OrdinalIgnoreCase
+            : StringComparison.Ordinal;
+#else
+        StringComparison.OrdinalIgnoreCase; // .NET Framework and .NET Standard only run on Windows
+#endif
+#pragma warning restore CA1802 // Use literals where appropriate
+
+    /// <summary>
+    /// Validates that a path segment is a safe single directory or file name.
+    /// Throws <see cref="ArgumentException"/> if the segment contains path separators,
+    /// invalid file name characters, or directory traversal sequences.
+    /// </summary>
+    internal static void ValidatePathSegment(string? segment, string paramName)
+    {
+        if (segment is null)
+        {
+            return;
+        }
+
+        if (segment.Length == 0
+            || segment != segment.Trim()
+            || segment is "."
+            || segment is ".."
+            || segment.IndexOfAny(_invalidFileNameChars) >= 0)
+        {
+            Throw.ArgumentException(
+                paramName,
+                $"The parameter '{paramName}' contains invalid path characters or directory traversal sequences.");
+        }
+    }
+
+    /// <summary>
+    /// Verifies that a fully resolved path is contained within the specified root directory.
+    /// Both paths are canonicalized via <see cref="Path.GetFullPath(string)"/> before comparison.
+    /// Throws <see cref="InvalidOperationException"/> if the resolved path escapes the root.
+    /// </summary>
+    internal static string EnsureWithinRoot(string rootPath, string resolvedPath)
+    {
+        string fullRoot = Path.GetFullPath(rootPath);
+        string normalizedRoot = fullRoot;
+        string fullResolved = Path.GetFullPath(resolvedPath);
+
+        // Ensure the root ends with a directory separator so that a root of
+        // "/foo/bar" does not match a path like "/foo/bar-sibling/file".
+#if NET
+        if (!normalizedRoot.EndsWith(Path.DirectorySeparatorChar) &&
+            !normalizedRoot.EndsWith(Path.AltDirectorySeparatorChar))
+#else
+        if (!normalizedRoot.EndsWith(Path.DirectorySeparatorChar.ToString(), StringComparison.Ordinal) &&
+            !normalizedRoot.EndsWith(Path.AltDirectorySeparatorChar.ToString(), StringComparison.Ordinal))
+#endif
+        {
+            normalizedRoot += Path.DirectorySeparatorChar;
+        }
+
+        if (!fullResolved.StartsWith(normalizedRoot, _pathComparison) &&
+            !string.Equals(fullRoot, fullResolved, _pathComparison))
+        {
+            throw new InvalidOperationException(
+                "The resolved path escapes the configured root directory. " +
+                "This may indicate a path traversal attempt.");
+        }
+
+        return fullResolved;
+    }
+}