From 1e432b717eed0af8f8f7b245c69b9e5c8dcfd5f2 Mon Sep 17 00:00:00 2001
From: Viktor Scharf <scharf.vi@gmail.com>
Date: Thu, 5 Feb 2026 16:51:58 +0100
Subject: [PATCH] reva-bump-2.42.3 (#2276)

---
 go.mod                                                    | 2 +-
 go.sum                                                    | 4 ++--
 .../reva/v2/internal/grpc/interceptors/auth/scope.go      | 8 ++++++--
 vendor/modules.txt                                        | 2 +-
 4 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/go.mod b/go.mod
index 4f02102529..946bf8b696 100644
--- a/go.mod
+++ b/go.mod
@@ -65,7 +65,7 @@ require (
 	github.com/open-policy-agent/opa v1.12.3
 	github.com/opencloud-eu/icap-client v0.0.0-20250930132611-28a2afe62d89
 	github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20250724122329-41ba6b191e76
-	github.com/opencloud-eu/reva/v2 v2.42.2
+	github.com/opencloud-eu/reva/v2 v2.42.3
 	github.com/opensearch-project/opensearch-go/v4 v4.6.0
 	github.com/orcaman/concurrent-map v1.0.0
 	github.com/pkg/errors v0.9.1
diff --git a/go.sum b/go.sum
index 4057cd3b82..1aa3104c39 100644
--- a/go.sum
+++ b/go.sum
@@ -969,8 +969,8 @@ github.com/opencloud-eu/inotifywaitgo v0.0.0-20251111171128-a390bae3c5e9 h1:dIft
 github.com/opencloud-eu/inotifywaitgo v0.0.0-20251111171128-a390bae3c5e9/go.mod h1:JWyDC6H+5oZRdUJUgKuaye+8Ph5hEs6HVzVoPKzWSGI=
 github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20250724122329-41ba6b191e76 h1:vD/EdfDUrv4omSFjrinT8Mvf+8D7f9g4vgQ2oiDrVUI=
 github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20250724122329-41ba6b191e76/go.mod h1:pzatilMEHZFT3qV7C/X3MqOa3NlRQuYhlRhZTL+hN6Q=
-github.com/opencloud-eu/reva/v2 v2.42.2 h1:2v2RXsD9qX3L4vhu3Pl4QEXgx6jANeKz3FSFhZ3oU5E=
-github.com/opencloud-eu/reva/v2 v2.42.2/go.mod h1:LrMYMcSrH9nvTywiE1ry0i2w38yGLFKUPYxWjvKulBo=
+github.com/opencloud-eu/reva/v2 v2.42.3 h1:A9v52jgIY6+UHnj5xuC4HVn/w8X4sVSibyvWsQ/50mk=
+github.com/opencloud-eu/reva/v2 v2.42.3/go.mod h1:LrMYMcSrH9nvTywiE1ry0i2w38yGLFKUPYxWjvKulBo=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
diff --git a/vendor/github.com/opencloud-eu/reva/v2/internal/grpc/interceptors/auth/scope.go b/vendor/github.com/opencloud-eu/reva/v2/internal/grpc/interceptors/auth/scope.go
index 32f3be1bf5..ebae7a4ad3 100644
--- a/vendor/github.com/opencloud-eu/reva/v2/internal/grpc/interceptors/auth/scope.go
+++ b/vendor/github.com/opencloud-eu/reva/v2/internal/grpc/interceptors/auth/scope.go
@@ -21,6 +21,7 @@ package auth
 import (
 	"context"
 	"fmt"
+	"path/filepath"
 	"strings"
 	"time"
 
@@ -283,8 +284,11 @@ func checkIfNestedResource(ctx context.Context, ref *provider.Reference, parent
 		return false, statuspkg.NewErrorFromCode(pathResp.Status.Code, "auth interceptor")
 	}
 	childPath := pathResp.Path
-
-	return strings.HasPrefix(childPath, parentPath), nil
+	rel, err := filepath.Rel(parentPath, childPath)
+	if err != nil {
+		return false, err
+	}
+	return !strings.HasPrefix(rel, ".."), nil
 }
 
 func extractRefFromListProvidersReq(v *registry.ListStorageProvidersRequest) (*provider.Reference, bool) {
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 6183b581e3..bd766124ed 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -1376,7 +1376,7 @@ github.com/opencloud-eu/icap-client
 # github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20250724122329-41ba6b191e76
 ## explicit; go 1.18
 github.com/opencloud-eu/libre-graph-api-go
-# github.com/opencloud-eu/reva/v2 v2.42.2
+# github.com/opencloud-eu/reva/v2 v2.42.3
 ## explicit; go 1.24.1
 github.com/opencloud-eu/reva/v2/cmd/revad/internal/grace
 github.com/opencloud-eu/reva/v2/cmd/revad/runtime