Skip to content

feat: implement fast multipart download API for envd#1802

Draft
mishushakov wants to merge 4 commits intomainfrom
mishushakov/multipart-download
Draft

feat: implement fast multipart download API for envd#1802
mishushakov wants to merge 4 commits intomainfrom
mishushakov/multipart-download

Conversation

@mishushakov
Copy link
Member

@mishushakov mishushakov commented Jan 28, 2026

Summary

Implements efficient multipart file downloads using direct ReadAt() for random access reads, mirroring the existing multipart upload pattern. Supports concurrent part downloads with configurable part sizes (default 5MB, max 100MB) and session-based management with 1-hour TTL and automatic cleanup.

Test plan

  • ✅ Init session with correct metadata
  • ✅ Download all parts and verify content
  • ✅ Out-of-order part downloads (thread-safe)
  • ✅ Invalid downloadId/part returns 400/404
  • ✅ Max sessions limit returns 429
  • ✅ Session cleanup on TTL expiry
  • ✅ Auth allowlist updated for download paths

🤖 Generated with Claude Code

@mishushakov @claude
feat: implement fast multipart download API for envd
e17c924 
Implements efficient multipart file downloads using direct ReadAt() for random
access reads, mirroring the existing multipart upload pattern. Supports
concurrent part downloads with configurable part sizes (default 5MB, max 100MB)
and session-based management with 1-hour TTL and automatic cleanup.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
claude[bot]
claude bot reviewed Jan 28, 2026
View reviewed changes
claude[bot]
claude bot reviewed Jan 28, 2026
View reviewed changes
claude[bot]
claude bot reviewed Jan 28, 2026
View reviewed changes
claude[bot]
claude bot reviewed Jan 28, 2026
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 28, 2026
View reviewed changes
packages/envd/internal/api/multipart_download.go
}

// Check if file exists and get its size
stat, err := os.Stat(filePath)

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This path depends on a
user-provided value
Loading
.

Copilot Autofix

AI 16 days ago

In general, to fix uncontrolled path usage, we should resolve the user-provided path against a well-defined base directory and then verify that the resulting absolute path is still inside that base. If it is not, we reject the request. This prevents directory traversal or arbitrary absolute path usage even when the attacker supplies .. components or absolute paths.

The best place to fix this without changing existing behavior too much is in permissions.ExpandAndResolve. That function is the centralized helper used to turn a user-supplied path plus user and defaultPath info into an absolute path. We can extend it so that it (1) computes a base directory (either from defaultPath or user.HomeDir), (2) expands ~ relative to that base, (3) resolves to an absolute path, and (4) ensures the resulting absolute path stays under the base directory. If the path escapes the base (for example, via .. or an absolute path like /etc/passwd), we return an error instead of the path.

Concretely, in permissions/path.go we will:

  • Import "strings" to support prefix checks.
  • Change ExpandAndResolve to:
    • Compute an absolute baseDir from defaultPath (if provided) or user.HomeDir.
    • Apply execcontext.ResolveDefaultWorkdir as before to handle empty/default values.
    • Use expand to deal with ~, but ensure it uses the base directory semantics.
    • Always join the resulting path to baseDir (ignoring whether the user supplied an absolute path).
    • Call filepath.Abs to normalize the joined path.
    • Check that abs is within baseDir using a prefix check after ensuring both are absolute, with a trailing separator logic to avoid partial prefix issues.
    • Return an error if the check fails.

We will not modify multipart_download.go because it is already centralizing resolution via permissions.ExpandAndResolve; after we harden that function, filePath will be safe to use with os.Stat and subsequent file operations.

Suggested changeset 1
packages/envd/internal/permissions/path.go
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/envd/internal/permissions/path.go b/packages/envd/internal/permissions/path.go
--- a/packages/envd/internal/permissions/path.go
+++ b/packages/envd/internal/permissions/path.go
@@ -7,6 +7,7 @@
 	"os/user"
 	"path/filepath"
 	"slices"
+	"strings"
 
 	"github.com/e2b-dev/infra/packages/envd/internal/execcontext"
 )
@@ -28,23 +29,43 @@
 }
 
 func ExpandAndResolve(path string, user *user.User, defaultPath *string) (string, error) {
+	// Determine the base directory for all paths: prefer defaultPath (if provided),
+	// otherwise fall back to the user's home directory.
+	base := execcontext.ResolveDefaultWorkdir("", defaultPath)
+	if base == "" {
+		base = user.HomeDir
+	}
+
+	baseAbs, err := filepath.Abs(base)
+	if err != nil {
+		return "", fmt.Errorf("failed to resolve base path '%s' for user '%s': %w", base, user.Username, err)
+	}
+
+	// Resolve the requested path relative to the base directory.
 	path = execcontext.ResolveDefaultWorkdir(path, defaultPath)
 
-	path, err := expand(path, user.HomeDir)
+	path, err = expand(path, baseAbs)
 	if err != nil {
 		return "", fmt.Errorf("failed to expand path '%s' for user '%s': %w", path, user.Username, err)
 	}
 
-	if filepath.IsAbs(path) {
-		return path, nil
+	// Always join with the base directory so that user-supplied absolute
+	// paths cannot escape the intended root.
+	joined := filepath.Join(baseAbs, path)
+
+	abs, err := filepath.Abs(joined)
+	if err != nil {
+		return "", fmt.Errorf("failed to resolve path '%s' for user '%s' with base dir '%s': %w", joined, user.Username, baseAbs, err)
 	}
 
-	// The filepath.Abs can correctly resolve paths like /home/user/../file
-	path = filepath.Join(user.HomeDir, path)
+	// Ensure the resolved path is within the base directory.
+	baseWithSep := baseAbs
+	if !strings.HasSuffix(baseWithSep, string(os.PathSeparator)) {
+		baseWithSep += string(os.PathSeparator)
+	}
 
-	abs, err := filepath.Abs(path)
-	if err != nil {
-		return "", fmt.Errorf("failed to resolve path '%s' for user '%s' with home dir '%s': %w", path, user.Username, user.HomeDir, err)
+	if abs != baseAbs && !strings.HasPrefix(abs, baseWithSep) {
+		return "", fmt.Errorf("resolved path '%s' is outside of allowed base directory '%s' for user '%s'", abs, baseAbs, user.Username)
 	}
 
 	return abs, nil
EOF
@@ -7,6 +7,7 @@
"os/user"
"path/filepath"
"slices"
"strings"

"github.com/e2b-dev/infra/packages/envd/internal/execcontext"
)
@@ -28,23 +29,43 @@
}

func ExpandAndResolve(path string, user *user.User, defaultPath *string) (string, error) {
// Determine the base directory for all paths: prefer defaultPath (if provided),
// otherwise fall back to the user's home directory.
base := execcontext.ResolveDefaultWorkdir("", defaultPath)
if base == "" {
base = user.HomeDir
}

baseAbs, err := filepath.Abs(base)
if err != nil {
return "", fmt.Errorf("failed to resolve base path '%s' for user '%s': %w", base, user.Username, err)
}

// Resolve the requested path relative to the base directory.
path = execcontext.ResolveDefaultWorkdir(path, defaultPath)

path, err := expand(path, user.HomeDir)
path, err = expand(path, baseAbs)
if err != nil {
return "", fmt.Errorf("failed to expand path '%s' for user '%s': %w", path, user.Username, err)
}

if filepath.IsAbs(path) {
return path, nil
// Always join with the base directory so that user-supplied absolute
// paths cannot escape the intended root.
joined := filepath.Join(baseAbs, path)

abs, err := filepath.Abs(joined)
if err != nil {
return "", fmt.Errorf("failed to resolve path '%s' for user '%s' with base dir '%s': %w", joined, user.Username, baseAbs, err)
}

// The filepath.Abs can correctly resolve paths like /home/user/../file
path = filepath.Join(user.HomeDir, path)
// Ensure the resolved path is within the base directory.
baseWithSep := baseAbs
if !strings.HasSuffix(baseWithSep, string(os.PathSeparator)) {
baseWithSep += string(os.PathSeparator)
}

abs, err := filepath.Abs(path)
if err != nil {
return "", fmt.Errorf("failed to resolve path '%s' for user '%s' with home dir '%s': %w", path, user.Username, user.HomeDir, err)
if abs != baseAbs && !strings.HasPrefix(abs, baseWithSep) {
return "", fmt.Errorf("resolved path '%s' is outside of allowed base directory '%s' for user '%s'", abs, baseAbs, user.Username)
}

return abs, nil
Copilot is powered by AI and may make mistakes. Always verify output.
packages/envd/internal/api/multipart_download.go
}

// Open the file for reading
srcFile, err := os.Open(filePath)

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This path depends on a
user-provided value
Loading
.

Copilot Autofix

AI 16 days ago

General fix approach: After resolving the user-supplied path into an absolute path, ensure that it is contained within a safe base directory (such as the user’s home directory or a configured workdir). Reject paths that escape this base. This is done by: (1) computing the base directory as an absolute path, (2) resolving the requested path relative to that base (or expanding ~ into that base), and (3) verifying that the final absolute path still has the base as its prefix on a path-component boundary.

Best concrete fix here without changing external behavior more than necessary:

  1. Strengthen permissions.ExpandAndResolve so it:

    • Always resolves the user-supplied path to an absolute path.
    • Determines a “base directory” from the given user and defaultPath (via execcontext.ResolveDefaultWorkdir), normalizes that base to an absolute path, and uses it as the root.
    • Expands ~ using user.HomeDir as before.
    • If the resulting path is not absolute, join it relative to the base directory, then normalize.
    • Finally, verify that the resulting absolute path is within the base directory using a safe prefix check (e.g., strings.HasPrefix(absPathWithSeparator, baseWithSeparator) after both are cleaned and made absolute). If it is outside, return an error instead of the path.

  2. To avoid breaking existing behavior where a fully absolute path is passed, we still accept it only if it lies under the computed base directory; otherwise, we now reject it. This is the key security change.

  3. The caller in PostFilesDownloadInit continues to call permissions.ExpandAndResolve and then uses filePath for os.Stat and os.Open. With the added containment check, filePath can no longer reference arbitrary filesystem locations outside the intended base, which addresses the CodeQL finding.

Implementation details / specific changes:

  • In packages/envd/internal/permissions/path.go:

    • Add an import of strings.
    • Introduce computation of a baseDir at the start of ExpandAndResolve:
      • Use execcontext.ResolveDefaultWorkdir(path, defaultPath) as now, but we’ll separate the concerns: first resolve resolvedPath := execcontext.ResolveDefaultWorkdir(path, defaultPath), then derive baseDir from defaultPath (or user.HomeDir if no default path).
      • Compute baseDirAbs := filepath.Abs(baseDir) and handle errors.
    • Apply expand on the resolved path as now.
    • If the expanded path is not absolute, join it with baseDirAbs and normalize via filepath.Abs.
    • If the (possibly already absolute) expanded path is absolute but not under baseDirAbs, return an error indicating the path is outside the allowed base.
    • Implement a helper-style check inline in ExpandAndResolve using strings.TrimRight + HasPrefix to enforce directory containment.

  • No changes are needed in packages/envd/internal/api/multipart_download.go, because we centralize the security in ExpandAndResolve. The call site already handles an error from ExpandAndResolve and returns a 400 Bad Request, which is appropriate when the requested path is invalid or disallowed.

Suggested changeset 1
packages/envd/internal/permissions/path.go
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/envd/internal/permissions/path.go b/packages/envd/internal/permissions/path.go
--- a/packages/envd/internal/permissions/path.go
+++ b/packages/envd/internal/permissions/path.go
@@ -7,6 +7,7 @@
 	"os/user"
 	"path/filepath"
 	"slices"
+	"strings"
 
 	"github.com/e2b-dev/infra/packages/envd/internal/execcontext"
 )
@@ -28,26 +29,55 @@
 }
 
 func ExpandAndResolve(path string, user *user.User, defaultPath *string) (string, error) {
-	path = execcontext.ResolveDefaultWorkdir(path, defaultPath)
+	// First, resolve any default workdir semantics on the raw path.
+	resolvedPath := execcontext.ResolveDefaultWorkdir(path, defaultPath)
 
-	path, err := expand(path, user.HomeDir)
+	// Determine the base directory within which all paths must reside.
+	baseDir := user.HomeDir
+	if defaultPath != nil && *defaultPath != "" {
+		baseDir = *defaultPath
+	}
+
+	baseDirAbs, err := filepath.Abs(baseDir)
 	if err != nil {
-		return "", fmt.Errorf("failed to expand path '%s' for user '%s': %w", path, user.Username, err)
+		return "", fmt.Errorf("failed to resolve base directory '%s' for user '%s': %w", baseDir, user.Username, err)
 	}
 
-	if filepath.IsAbs(path) {
-		return path, nil
+	// Expand any leading "~" in the path using the user's home directory.
+	resolvedPath, err = expand(resolvedPath, user.HomeDir)
+	if err != nil {
+		return "", fmt.Errorf("failed to expand path '%s' for user '%s': %w", resolvedPath, user.Username, err)
 	}
 
-	// The filepath.Abs can correctly resolve paths like /home/user/../file
-	path = filepath.Join(user.HomeDir, path)
+	// If the path is not absolute, resolve it relative to the base directory.
+	var abs string
+	if !filepath.IsAbs(resolvedPath) {
+		joined := filepath.Join(baseDirAbs, resolvedPath)
+		abs, err = filepath.Abs(joined)
+		if err != nil {
+			return "", fmt.Errorf("failed to resolve path '%s' for user '%s' with base dir '%s': %w", joined, user.Username, baseDirAbs, err)
+		}
+	} else {
+		// Path is already absolute; normalize it.
+		abs, err = filepath.Abs(resolvedPath)
+		if err != nil {
+			return "", fmt.Errorf("failed to resolve absolute path '%s' for user '%s': %w", resolvedPath, user.Username, err)
+		}
+	}
 
-	abs, err := filepath.Abs(path)
-	if err != nil {
-		return "", fmt.Errorf("failed to resolve path '%s' for user '%s' with home dir '%s': %w", path, user.Username, user.HomeDir, err)
+	// Ensure the final absolute path is contained within the base directory.
+	baseClean := filepath.Clean(baseDirAbs)
+	absClean := filepath.Clean(abs)
+
+	// Add path separator to avoid prefix tricks (e.g., /home/user2 vs /home/user).
+	baseWithSep := strings.TrimRight(baseClean, string(filepath.Separator)) + string(filepath.Separator)
+	absWithSep := strings.TrimRight(absClean, string(filepath.Separator)) + string(filepath.Separator)
+
+	if !strings.HasPrefix(absWithSep, baseWithSep) {
+		return "", fmt.Errorf("resolved path '%s' is outside of allowed base directory '%s' for user '%s'", absClean, baseClean, user.Username)
 	}
 
-	return abs, nil
+	return absClean, nil
 }
 
 func getSubpaths(path string) (subpaths []string) {
EOF
Copilot is powered by AI and may make mistakes. Always verify output.
mishushakov and others added 2 commits January 28, 2026 22:45
@mishushakov @claude
fix: address review feedback for multipart download
f6383ba 
- Remove unused mu mutex field from MultipartDownloadSession
- Add activeReads ref-counting to prevent race condition when closing
  file during active read operations
- Use sync.Pool for buffer reuse to reduce memory pressure under load
- Accept context in cleanupExpiredDownloads for graceful shutdown
- Add Close() method to API for proper resource cleanup
- Update tests to call Close() on cleanup

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@github-actions
chore: auto-commit generated changes
306788e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

@ValentaTomas ValentaTomas Awaiting requested review from ValentaTomas ValentaTomas will be requested when the pull request is marked ready for review ValentaTomas is a code owner

@jakubno jakubno Awaiting requested review from jakubno jakubno will be requested when the pull request is marked ready for review jakubno is a code owner

@dobrac dobrac Awaiting requested review from dobrac dobrac will be requested when the pull request is marked ready for review dobrac is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@ValentaTomas ValentaTomas

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mishushakov @ValentaTomas