fix: validate path segments in GcsArtifactService to prevent cross-user artifact access

[Ashutosh0x]

Summary

Fix for #6115 - Validate user_id, app_name, and session_id in GcsArtifactService._get_blob_prefix() to prevent path traversal attacks that allow cross-user artifact access.

Problem

GcsArtifactService._get_blob_prefix() constructs GCS blob paths by directly interpolating user-supplied identifiers into f-strings:

python return f'{app_name}/{user_id}/user/{filename}' return f'{app_name}/{user_id}/{session_id}/{filename}'

No validation is performed on user_id, app_name, or session_id. A malicious user_id like ../other-user escapes the intended namespace, enabling cross-user artifact read/write/delete.

Note: FileArtifactService in the same package already validates these inputs via _validate_path_segment(). This PR brings GcsArtifactService to parity.

Fix

Added _validate_gcs_path_segment() static method that rejects:

• Empty values
• Null bytes
• Path separators (/ and \)
• Traversal segments (. and ..)

Called in _get_blob_prefix() before constructing any blob path.

Testing

Added tests/unittests/artifacts/test_gcs_artifact_path_traversal.py with 10 tests covering:

• Valid user IDs pass validation
• ../other-user traversal blocked
• .. and . blocked
• Forward/back slashes blocked
• Null bytes blocked
• Empty strings blocked
• app_name and session_id traversal blocked

bash pytest tests/unittests/artifacts/test_gcs_artifact_path_traversal.py -v

Fixes #6115

[Ashutosh0x]

Hi @surajksharma07 — this fixes a path traversal (CWE-22) in GcsArtifactService reported in #6115.

The _get_blob_prefix() method uses f-string interpolation with unsanitized user_id, app_name, and session_id. A user_id of ../victim escapes the namespace, enabling cross-user artifact read/write/delete.

Note: FileArtifactService already has _validate_path_segment() for this exact purpose. This PR brings GcsArtifactService to parity with 10 unit tests. All CI should pass.

This is the same vulnerability class as #5603 / PR #5927 (which I also fixed). Let me know if you'd like any adjustments!

[rohityan]

Hi @Ashutosh0x , Thank you for your contribution! We appreciate you taking the time to submit this pull request. Can you please fix the failing unit and mypy-diff tests and also fix the formatting errors before we can proceed with a review.