Repository: incubator-gobblin Updated Branches: refs/heads/master e7bb4c40f -> 383568685
[GOBBLIN-508][GOBBLIN-486] Ensure that in AWSConfigManager the files are extracted within the output directory Closes #2377 from abti/master Project: http://git-wip-us.apache.org/repos/asf/incubator-gobblin/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-gobblin/commit/38356868 Tree: http://git-wip-us.apache.org/repos/asf/incubator-gobblin/tree/38356868 Diff: http://git-wip-us.apache.org/repos/asf/incubator-gobblin/diff/38356868 Branch: refs/heads/master Commit: 3835686858382c50579989127829aca070f9de44 Parents: e7bb4c4 Author: Abhishek Tiwari <[email protected]> Authored: Mon Jun 4 17:31:42 2018 -0700 Committer: Abhishek Tiwari <[email protected]> Committed: Mon Jun 4 17:31:42 2018 -0700 ---------------------------------------------------------------------- .../gobblin/aws/AWSJobConfigurationManager.java | 4 ++++ .../main/java/org/apache/gobblin/util/FileUtils.java | 15 +++++++++++++++ .../java/org/apache/gobblin/util/FileUtilsTest.java | 15 +++++++++++++++ 3 files changed, 34 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-gobblin/blob/38356868/gobblin-aws/src/main/java/org/apache/gobblin/aws/AWSJobConfigurationManager.java ---------------------------------------------------------------------- diff --git a/gobblin-aws/src/main/java/org/apache/gobblin/aws/AWSJobConfigurationManager.java b/gobblin-aws/src/main/java/org/apache/gobblin/aws/AWSJobConfigurationManager.java index 6ad15c2..042503f 100644 --- a/gobblin-aws/src/main/java/org/apache/gobblin/aws/AWSJobConfigurationManager.java +++ b/gobblin-aws/src/main/java/org/apache/gobblin/aws/AWSJobConfigurationManager.java @@ -197,6 +197,10 @@ public class AWSJobConfigurationManager extends JobConfigurationManager { while (entries.hasMoreElements()) { final ZipEntry entry = entries.nextElement(); final File entryDestination = new File(outputDir, entry.getName()); + if (!org.apache.gobblin.util.FileUtils.isSubPath(outputDir, entryDestination)) { + throw new IOException(String.format("Extracted file: %s is trying to write outside of output directory: %s", + entryDestination, outputDir)); + } if (entry.isDirectory()) { // If entry is directory, create directory http://git-wip-us.apache.org/repos/asf/incubator-gobblin/blob/38356868/gobblin-utility/src/main/java/org/apache/gobblin/util/FileUtils.java ---------------------------------------------------------------------- diff --git a/gobblin-utility/src/main/java/org/apache/gobblin/util/FileUtils.java b/gobblin-utility/src/main/java/org/apache/gobblin/util/FileUtils.java index 49bf6dd..6f314d2 100644 --- a/gobblin-utility/src/main/java/org/apache/gobblin/util/FileUtils.java +++ b/gobblin-utility/src/main/java/org/apache/gobblin/util/FileUtils.java @@ -17,6 +17,7 @@ package org.apache.gobblin.util; +import java.io.File; import java.io.IOException; import java.io.PrintWriter; import java.nio.charset.StandardCharsets; @@ -33,4 +34,18 @@ public class FileUtils { out.flush(); } } + + /*** + * Check if child path is child of parent path. + * @param parent Expected parent path. + * @param child Expected child path. + * @return If child path is child of parent path. + * @throws IOException + */ + public static boolean isSubPath(File parent, File child) throws IOException { + String childStr = child.getCanonicalPath(); + String parentStr = parent.getCanonicalPath(); + + return childStr.startsWith(parentStr); + } } http://git-wip-us.apache.org/repos/asf/incubator-gobblin/blob/38356868/gobblin-utility/src/test/java/org/apache/gobblin/util/FileUtilsTest.java ---------------------------------------------------------------------- diff --git a/gobblin-utility/src/test/java/org/apache/gobblin/util/FileUtilsTest.java b/gobblin-utility/src/test/java/org/apache/gobblin/util/FileUtilsTest.java index 3956da3..a1f5bc0 100644 --- a/gobblin-utility/src/test/java/org/apache/gobblin/util/FileUtilsTest.java +++ b/gobblin-utility/src/test/java/org/apache/gobblin/util/FileUtilsTest.java @@ -17,6 +17,7 @@ package org.apache.gobblin.util; +import java.io.File; import java.io.IOException; import java.nio.file.Files; import java.nio.file.Path; @@ -40,4 +41,18 @@ public class FileUtilsTest { Files.deleteIfExists(destPath); } + + @Test + public void testIsSubPath() throws IOException { + File parentPath = new File("/tmp/foo/bar"); + + File childPath = new File("/tmp/foo/../tar/file.txt"); + assertThat(false).isEqualTo(FileUtils.isSubPath(parentPath, childPath)); + + childPath = new File("/tmp/foo/tar/../bar/file.txt"); + assertThat(true).isEqualTo(FileUtils.isSubPath(parentPath, childPath)); + + childPath = new File("/tmp/foo/bar/car/file.txt"); + assertThat(true).isEqualTo(FileUtils.isSubPath(parentPath, childPath)); + } }
