oscerd opened a new pull request, #24180: URL: https://github.com/apache/camel/pull/24180
Fixes [CAMEL-23765](https://issues.apache.org/jira/browse/CAMEL-23765). ## Problem When `localWorkDirectory` is enabled, the remote-file consumers build the local work file path from the remote file name (`target.getRelativeFilePath()`) **without ensuring the result stays within the configured work directory**: ```java File local = new File(normalizePath(localWorkDirectory)); String relativeName = target.getRelativeFilePath(); // untrusted remote name local = new File(local, relativeName); // "../" escapes the work dir local.mkdirs(); // ... writes outside localWorkDirectory ``` A remote file name containing `../` sequences could therefore resolve to a path **outside** the work directory (arbitrary local file write) — unlike the file producer, which already jails writes via `FileUtil.compactPath` + `startsWith` when `jailStartingDirectory` is enabled. Per the security model, *path traversal in file/FTP consumers* is in scope. ## Change - New shared **`GenericFileHelper.jailToLocalWorkDirectory(target, workDir)`** (camel-file) — throws `GenericFileOperationFailedException` if `compactPath(target)` does not `startsWith` `compactPath(workDir)`, mirroring the producer's `jailedCheck`. - Applied (to both the in-progress temp file and the final file), **before `mkdirs`**, in the `localWorkDirectory` download path of: - `FtpOperations` + `SftpOperations` (camel-ftp) - `MinaSftpOperations` (camel-mina-sftp) - `FilesOperations` (camel-azure-files) - `SmbOperations` (camel-smb) - **Reuses the existing `jailStartingDirectory` option** (default `true`, inherited by all 5 endpoints) — secure by default, consistent with the producer, opt-out via `jailStartingDirectory=false`. No new config surface. ## Tests - New `GenericFileHelperTest` — verifies files within the work directory (incl. `../` that still resolves inside) are allowed, and escaping paths are rejected. - Existing localWorkDirectory ITs (camel-smb `SmbConsumerLocalWorkDirectoryIT`, camel-mina-sftp feature IT) cover legitimate-download regression. - Full reactor build (`mvn clean install -DskipTests`, 1874 modules) green, no drift. No generated-file impact (no `@UriParam`). ## Documentation - `camel-4x-upgrade-guide-4_21.adoc` — note added for the remote-file consumers. ## Compatibility / backport Default-secure with an opt-out (`jailStartingDirectory=false`), so suitable for backport to `camel-4.18.x` and `camel-4.14.x` (per the Jira `fixVersions`). Matching 4_18/4_14 guide entries will be added on `main` with the backports. --- _Claude Code on behalf of Andrea Cosentino_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
