Re: [PR] [incubator-kie-issues-1886] - Changes for fixing path/directory traversal issue [incubator-kie-drools]

Thu, 27 Mar 2025 01:35:34 -0700 


gitgabrio commented on code in PR #6288:
URL: 
https://github.com/apache/incubator-kie-drools/pull/6288#discussion_r2015924071


##########
kie-maven-plugin/src/main/java/org/kie/maven/plugin/DiskResourceStore.java:
##########
@@ -80,53 +77,35 @@ public void remove(String pResourceName) {
     private void commonWrite(String fullPath, byte[] pResourceData, boolean 
createFolder) {
         File file = new File(fullPath);
         if (createFolder) {
-            File dir = file.getParentFile();
-            if (!dir.exists()) {
-                dir.mkdirs();
+            if (!file.getParentFile().exists()) {

Review Comment:
   the problem is
   
   > 'exists' method of 'java.io.File' object could be abused to disclose or 
manipulate sensitive files`
   
   so, I'm not sure if this modification would actually solve it
   
   
   



##########
kie-maven-plugin/src/main/java/org/kie/maven/plugin/DiskResourceStore.java:
##########
@@ -80,53 +77,35 @@ public void remove(String pResourceName) {
     private void commonWrite(String fullPath, byte[] pResourceData, boolean 
createFolder) {
         File file = new File(fullPath);
         if (createFolder) {
-            File dir = file.getParentFile();
-            if (!dir.exists()) {
-                dir.mkdirs();
+            if (!file.getParentFile().exists()) {
+                boolean created = file.getParentFile().mkdirs();
+                if (!created) {
+                    System.err.println("Failed to create directory: " + 
file.getParentFile().getAbsolutePath());
+                }
             }
         }
 
-        FileOutputStream fos = null;
-        try {
-            fos = new FileOutputStream(file);
+        try (FileOutputStream fos = new FileOutputStream(file)) {

Review Comment:
   
   
   the problem is
   
   > 'new' method of 'java.io.FileOutputStream' object could be abused to 
disclose or manipulate sensitive files:
   
   so, I'm not sure if this modification would actually solve it
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to