fix(webserver): add check in file creation path for _flows* (#6228)

webserver/src/main/java/io/kestra/webserver/controllers/api/NamespaceFileController.java

@@ -49,7 +49,7 @@ public class NamespaceFileController {
     private FlowService flowService;
 
     private final List<Pattern> forbiddenPathPatterns = List.of(
-        Pattern.compile("/" + FLOWS_FOLDER + ".*")
+        Pattern.compile("/" + FLOWS_FOLDER + "(/.*)?$")
     );
 
 
@@ -193,7 +193,7 @@ private void putNamespaceFile(String tenantId, String namespace, URI path, Buffe
             this.importFlow(tenantId, flowSource);
             return;
         }
-
+        forbiddenPathsGuard(path);
         storageInterface.put(tenantId, namespace, NamespaceFile.of(namespace, path).uri(), inputStream);
     }
 
@@ -262,7 +262,6 @@ public void delete(
             path = "/" + path;
         }
         encodedPath = new URI(URLEncoder.encode(path, StandardCharsets.UTF_8));
-
         ensureWritableNamespaceFile(encodedPath);
 
         String pathWithoutScheme = encodedPath.getPath();

webserver/src/test/java/io/kestra/webserver/controllers/api/NamespaceFileControllerTest.java

@@ -4,6 +4,7 @@
 import static org.hamcrest.Matchers.containsInAnyOrder;
 import static org.hamcrest.Matchers.startsWith;
 import static org.hamcrest.core.Is.is;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 
 import io.kestra.core.junit.annotations.KestraTest;
 import io.kestra.core.junit.annotations.LoadFlows;
@@ -128,9 +129,26 @@ void listWithoutPreCreation() {
     @Test
     void createDirectory() throws IOException {
         client.toBlocking().exchange(HttpRequest.POST("/api/v1/namespaces/" + NAMESPACE + "/files/directory?path=/test", null));
+        client.toBlocking().exchange(HttpRequest.POST("/api/v1/namespaces/" + NAMESPACE + "/files/directory?path=/_flows2", null));
         FileAttributes res = storageInterface.getAttributes(null, NAMESPACE, toNamespacedStorageUri(NAMESPACE, URI.create("/test")));
         assertThat(res.getFileName(), is("test"));
         assertThat(res.getType(), is(FileAttributes.FileType.Directory));
+        FileAttributes flows = storageInterface.getAttributes(null, NAMESPACE, toNamespacedStorageUri(NAMESPACE, URI.create("/_flows2")));
+        assertThat(flows.getFileName(), is("_flows2"));
+        assertThat(flows.getType(), is(FileAttributes.FileType.Directory));
+    }
+
+    @Test
+    void createDirectoryException() {
+    assertThrows(
+        HttpClientResponseException.class,
+        () ->
+            client
+                .toBlocking()
+                .exchange(
+                    HttpRequest.POST(
+                        "/api/v1/namespaces/" + NAMESPACE + "/files/directory?path=/_flows",
+                        null)));
     }
 
     @Test
@@ -143,6 +161,25 @@ void createFile() throws IOException {
                 .contentType(MediaType.MULTIPART_FORM_DATA_TYPE)
         );
         assertNamespaceFileContent(URI.create("/test.txt"), "Hello");
+        MultipartBody flowBody = MultipartBody.builder()
+            .addPart("fileContent", "_flowsFile", "Hello".getBytes())
+            .build();
+        client.toBlocking().exchange(
+            HttpRequest.POST("/api/v1/namespaces/" + NAMESPACE + "/files?path=/_flowsFile", flowBody)
+                .contentType(MediaType.MULTIPART_FORM_DATA_TYPE)
+        );
+        assertNamespaceFileContent(URI.create("/_flowsFile"), "Hello");
+    }
+
+    @Test
+    void createFileFlowException() {
+        MultipartBody body = MultipartBody.builder()
+            .addPart("fileContent", "_flows", "Hello".getBytes())
+            .build();
+        assertThrows(HttpClientResponseException.class, () -> client.toBlocking().exchange(
+            HttpRequest.POST("/api/v1/namespaces/" + NAMESPACE + "/files?path=/_flows", body)
+                .contentType(MediaType.MULTIPART_FORM_DATA_TYPE)
+        ));
     }
 
     @Test