[karaf] branch karaf-4.2.x updated: [KARAF-7326] Add ending slash (separator) in canonical path, avoiding partial path traversal

[jbonofre]

This is an automated email from the ASF dual-hosted git repository.

jbonofre pushed a commit to branch karaf-4.2.x
in repository https://gitbox.apache.org/repos/asf/karaf.git


The following commit(s) were added to refs/heads/karaf-4.2.x by this push:
     new f41fda3  [KARAF-7326] Add ending slash (separator) in canonical path, 
avoiding partial path traversal
f41fda3 is described below

commit f41fda346a37f51702a691aaa152a387156192db
Author: Jean-Baptiste Onofré <jbono...@apache.org>
AuthorDate: Sun Jan 9 19:04:17 2022 +0100

    [KARAF-7326] Add ending slash (separator) in canonical path, avoiding 
partial path traversal
    
    (cherry picked from commit 36a2bc430cc773db1cfd0b32e307d9da2d1697f7)
---
 obr/src/main/java/org/apache/karaf/obr/command/util/FileUtil.java   | 6 +++++-
 .../src/main/java/org/apache/karaf/tooling/RunMojo.java             | 6 +++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/obr/src/main/java/org/apache/karaf/obr/command/util/FileUtil.java 
b/obr/src/main/java/org/apache/karaf/obr/command/util/FileUtil.java
index 7725d58..3dcbcc7 100644
--- a/obr/src/main/java/org/apache/karaf/obr/command/util/FileUtil.java
+++ b/obr/src/main/java/org/apache/karaf/obr/command/util/FileUtil.java
@@ -110,7 +110,11 @@ public class FileUtil
             }
 
             File target = new File(dir, je.getName());
-            if (!target.getCanonicalPath().startsWith(dir.getCanonicalPath())) 
{
+            String canonicalizedDir = dir.getCanonicalPath();
+            if (!canonicalizedDir.endsWith(File.separator)) {
+                canonicalizedDir += File.separator;
+            }
+            if (!target.getCanonicalPath().startsWith(canonicalizedDir)) {
                 throw new IOException("JAR resource cannot contain paths with 
.. characters");
             }
 
diff --git 
a/tooling/karaf-maven-plugin/src/main/java/org/apache/karaf/tooling/RunMojo.java
 
b/tooling/karaf-maven-plugin/src/main/java/org/apache/karaf/tooling/RunMojo.java
index 57f5a1a..9629742 100644
--- 
a/tooling/karaf-maven-plugin/src/main/java/org/apache/karaf/tooling/RunMojo.java
+++ 
b/tooling/karaf-maven-plugin/src/main/java/org/apache/karaf/tooling/RunMojo.java
@@ -436,7 +436,11 @@ public class RunMojo extends MojoSupport {
                 String name = entry.getName();
                 name = name.substring(name.indexOf("/") + 1);
                 File file = new File(targetDir, name);
-                if 
(!file.getCanonicalPath().startsWith(targetDir.getCanonicalPath())) {
+                String canonicalizedTargetDir = targetDir.getCanonicalPath();
+                if (!canonicalizedTargetDir.endsWith(File.separator)) {
+                    canonicalizedTargetDir += File.separator;
+                }
+                if 
(!file.getCanonicalPath().startsWith(canonicalizedTargetDir)) {
                     throw new IOException("Archive cannot contain paths with 
.. characters");
                 }