copilot feedback implementations

[th3hero]

This pull request introduces improved security measures for all storage drivers by decoding URL-encoded characters before validating file paths, which helps prevent path traversal attacks using encoded sequences. It also adds explicit error handling for file streams in the GCS driver to avoid silent failures. Additionally, there are minor cleanups and test file adjustments.

Security improvements across all storage drivers:

• All storage drivers (azure.driver.ts, gcs.driver.ts, s3.driver.ts, local.driver.ts) now decode file names and prefixes using decodeURIComponent before checking for path traversal sequences (.., * All storage drivers (azure.driver.ts, gcs.driver.ts, s3.driver.ts, local.driver.ts) now decode file names and prefixes using decodeURIComponent before checking for path traversal sequences (.., \0), blocking encoded traversal attempts ([src/drivers/azure.driver.tsL168-R176](https://github.com/th3hero/express-storage/pull/2/files#diff-6bdfa981359137fdc64b1d6ac725afc3185853ee8fa02af694eb6816dc2c3cdbL168-R176), [src/drivers/azure.driver.tsL227-R243](https://github.com/th3hero/express-storage/pull/2/files#diff-6bdfa981359137fdc64b1d6ac725afc3185853ee8fa02af694eb6816dc2c3cdbL227-R243), [src/drivers/azure.driver.tsL267-R291](https://github.com/th3hero/express-storage/pull/2/files#diff-6bdfa981359137fdc64b1d6ac725afc3185853ee8fa02af694eb6816dc2c3cdbL267-R291), [src/drivers/gcs.driver.tsL133-R145](https://github.com/th3hero/express-storage/pull/2/files#diff-fccf0bad0174c902eaadab505bdc22ac1e468028373610fc92dc314a4460155eL133-R145), [src/drivers/gcs.driver.tsL177-R197](https://github.com/th3hero/express-storage/pull/2/files#diff-fccf0bad0174c902eaadab505bdc22ac1e468028373610fc92dc314a4460155eL177-R197), [src/drivers/gcs.driver.tsL205-R233](https://github.com/th3hero/express-storage/pull/2/files#diff-fccf0bad0174c902eaadab505bdc22ac1e468028373610fc92dc314a4460155eL205-R233), [src/drivers/local.driver.tsL425-R433](https://github.com/th3hero/express-storage/pull/2/files#diff-d05568dcaa1bb00c431d82ec426daaeaf869a219f296c05b7f0f881f693c4aebL425-R433), [src/drivers/local.driver.tsL471-R487](https://github.com/th3hero/express-storage/pull/2/files#diff-d05568dcaa1bb00c431d82ec426daaeaf869a219f296c05b7f0f881f693c4aebL471-R487), [src/drivers/local.driver.tsL512-R541](https://github.com/th3hero/express-storage/pull/2/files#diff-d05568dcaa1bb00c431d82ec426daaeaf869a219f296c05b7f0f881f693c4aebL512-R541), [src/drivers/s3.driver.tsL187-R195](https://github.com/th3hero/express-storage/pull/2/files#diff-d923582c5ef7880761a83727d1d7434bd3e212df60c57bc5c4a6d362f1e71ebaL187-R195), [src/drivers/s3.driver.tsL229-R245](https://github.com/th3hero/express-storage/pull/2/files#diff-d923582c5ef7880761a83727d1d7434bd3e212df60c57bc5c4a6d362f1e71ebaL229-R245), [src/drivers/s3.driver.tsL257-R281](https://github.com/th3hero/express-storage/pull/2/files#diff-d923582c5ef7880761a83727d1d7434bd3e212df60c57bc5c4a6d362f1e71ebaL257-R281)).), blocking encoded traversal attempts [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12].

Reliability improvements:

• In the GCS driver, errors from the source file stream are now explicitly handled and propagated to prevent silent failures during uploads (gcs.driver.ts).

Test and cleanup changes:

• Unused imports and test helpers have been removed from several test files to clean up the codebase (config.utils.test.ts, file.utils.test.ts, regression.test.ts, security.test.ts, storage-manager.test.ts) [1] [2] [3] [4] [5] [6].
• Minor test logic simplifications in storage-manager.test.ts [1] [2].

[Copilot]

Pull request overview

This pull request attempts to enhance security by adding URL decoding before path traversal validation across all storage drivers, and improves error handling in the GCS driver. However, there is a critical bug in the implementation.

Changes:

• Added decodeURIComponent calls before path traversal validation in all storage driver methods (generateUploadUrl, generateViewUrl, delete, listFiles)
• Added explicit error handling for file streams in GCS driver's uploadWithStream method
• Removed unused imports and variables from test files

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 12 comments.

Show a summary per file

File	Description
src/drivers/azure.driver.ts	Added URL decoding before path traversal checks in generateUploadUrl, generateViewUrl, and delete methods
src/drivers/gcs.driver.ts	Added URL decoding before path traversal checks and improved stream error handling
src/drivers/s3.driver.ts	Added URL decoding before path traversal checks in generateUploadUrl, generateViewUrl, and delete methods
src/drivers/local.driver.ts	Added URL decoding before path traversal checks in delete, resolveFilePath, and listFiles methods
tests/storage-manager.test.ts	Removed unused imports (vi, createLargeMockFile) and unused variable assignments
tests/security.test.ts	Removed unused import (createMockFile)
tests/regression.test.ts	Removed unused import (createLargeMockFile)
tests/file.utils.test.ts	Removed unused import (beforeEach)
tests/config.utils.test.ts	Removed unused import (afterEach)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.