Description
Library name and version
Azure.Storage.Blobs 12.23.0
Query/Question
For blob client / blob container client, there is no validation to not leave the original container, e.g. in the following example
var path = $"../{otherContainerName}/{pathInOtherContainer}";
var credential = new DefaultAzureCredential();
var blobServiceClient = new BlobServiceClient(new Uri($"https://{storageAccountName}.blob.core.windows.net/"), credential);
var blobContainerClient = blobServiceClient.GetBlobContainerClient(containerName);
var blobClient = blobContainerClient.GetBlobClient(path);
var result = await blobClient.DownloadContentAsync();result will be filled with the actual content of the file, even though the blob is in another container.
Is it a deliberate choice in design to not validate whether the blob path is contained within the original container? From naming and the fact that a container name was provided in construction, one might think that the client cannot access anything outside the provided container.
In the current situation, it's pretty easy to forget to validate the path and thus become vulnerable to https://cwe.mitre.org/data/definitions/22.html
Providing such a validation library-side would be nice IMO.
Environment
No response