(sling-org-apache-sling-feature-cpconverter) branch master updated: SLING-12710 avoid write outside of the temp directory (#184)

Thu, 20 Mar 2025 04:54:56 -0700 

This is an automated email from the ASF dual-hosted git repository.

joerghoh pushed a commit to branch master
in repository 
https://gitbox.apache.org/repos/asf/sling-org-apache-sling-feature-cpconverter.git


The following commit(s) were added to refs/heads/master by this push:
     new 4890016  SLING-12710 avoid write outside of the temp directory (#184)
4890016 is described below

commit 4890016ff4dc8ac3141c1eb07cf4fe95bed9769c
Author: Jörg Hoh <[email protected]>
AuthorDate: Thu Mar 20 12:54:41 2025 +0100

    SLING-12710 avoid write outside of the temp directory (#184)
    
    * SLING-12710 avoid write outside of the temp directory
---
 ...InitialContentBundleEntryMetaDataCollector.java | 11 +++
 ...ialContentBundleEntryMetaDataCollectorTest.java | 93 ++++++++++++++++++++++
 2 files changed, 104 insertions(+)

diff --git 
a/src/main/java/org/apache/sling/feature/cpconverter/handlers/slinginitialcontent/SlingInitialContentBundleEntryMetaDataCollector.java
 
b/src/main/java/org/apache/sling/feature/cpconverter/handlers/slinginitialcontent/SlingInitialContentBundleEntryMetaDataCollector.java
index 4c6dbe2..ce80f73 100644
--- 
a/src/main/java/org/apache/sling/feature/cpconverter/handlers/slinginitialcontent/SlingInitialContentBundleEntryMetaDataCollector.java
+++ 
b/src/main/java/org/apache/sling/feature/cpconverter/handlers/slinginitialcontent/SlingInitialContentBundleEntryMetaDataCollector.java
@@ -122,6 +122,17 @@ class SlingInitialContentBundleEntryMetaDataCollector {
             if (jarEntryIsSlingInitialContent(context, jarEntry)) {
 
                 File targetFile = new 
File(contentPackage2FeatureModelConverter.getTempDirectory(), 
jarEntry.getName().replace('/', File.separatorChar));
+                
+                // Validate that the file is actually unpacking into the temp 
directory
+                if 
(!targetFile.toPath().normalize().startsWith(contentPackage2FeatureModelConverter.getTempDirectory().toPath().normalize()))
 {
+                    throw new IOException(String.format("unpacking %s (of %s) 
would write into the directory %s outside the specified "
+                            + "temp path %s, thus terminating the operation",
+                            jarEntry.getName(),
+                            jarFile.getName(),
+                            targetFile.toPath().normalize(),
+                            
contentPackage2FeatureModelConverter.getTempDirectory().getAbsolutePath()
+                            ));
+                }
                 String canonicalDestinationPath = 
targetFile.getCanonicalPath();
 
 
diff --git 
a/src/test/java/org/apache/sling/feature/cpconverter/handlers/slinginitialcontent/SlingInitialContentBundleEntryMetaDataCollectorTest.java
 
b/src/test/java/org/apache/sling/feature/cpconverter/handlers/slinginitialcontent/SlingInitialContentBundleEntryMetaDataCollectorTest.java
new file mode 100644
index 0000000..4d4827e
--- /dev/null
+++ 
b/src/test/java/org/apache/sling/feature/cpconverter/handlers/slinginitialcontent/SlingInitialContentBundleEntryMetaDataCollectorTest.java
@@ -0,0 +1,93 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership. The ASF
+ * licenses this file to You under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations 
under
+ * the License.
+ */
+package org.apache.sling.feature.cpconverter.handlers.slinginitialcontent;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.nio.file.Path;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.jar.JarEntry;
+import java.util.jar.JarFile;
+import java.util.jar.JarOutputStream;
+import java.util.jar.Manifest;
+
+import 
org.apache.sling.feature.cpconverter.ContentPackage2FeatureModelConverter;
+import org.apache.sling.jcr.contentloader.PathEntry;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TemporaryFolder;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.Mockito;
+import org.mockito.junit.MockitoJUnitRunner;
+
+@RunWith(MockitoJUnitRunner.class)
+public class SlingInitialContentBundleEntryMetaDataCollectorTest {
+
+    @Rule
+    public TemporaryFolder tmpdir = new TemporaryFolder();
+
+    public SlingInitialContentBundleEntryMetaDataCollector collector;
+
+    @Mock
+    BundleSlingInitialContentExtractContext context;
+
+    @Test
+    public void failWithJarPathsOutsideOfTempDirectory() throws IOException {
+
+        // setup temporary directory
+        when(context.getManifest()).thenReturn(new Manifest());
+        ContentPackage2FeatureModelConverter converter = 
Mockito.mock(ContentPackage2FeatureModelConverter.class,Mockito.RETURNS_DEEP_STUBS);
+        
when(converter.getTempDirectory()).thenReturn(tmpdir.newFolder("temp"));
+        Path newBundleFile = new 
File(tmpdir.newFolder("jar").getPath(),"malicious.jar").toPath();
+
+        // Add an Sling-Initial-Content header matching the 
outside-of-current-directory path "../outside.txt"
+        List<PathEntry> pathEntryList = new ArrayList<>();
+        PathEntry pathEntry = mock(PathEntry.class);
+        when(pathEntry.getPath()).thenReturn("../outside.txt");
+        pathEntryList.add(pathEntry);
+        when(context.getPathEntryList()).thenReturn(pathEntryList);
+
+        // construct a malicous jar file
+        try (JarOutputStream jos = new JarOutputStream(new 
FileOutputStream(newBundleFile.toString()), new Manifest())) {
+            JarEntry entry = new JarEntry("../outside.txt");
+            jos.putNextEntry(entry);
+            jos.write("malicious content".getBytes());
+            jos.closeEntry();
+        }
+        JarFile jar = new JarFile(newBundleFile.toString());
+        when(context.getJarFile()).thenReturn(jar);
+        collector = new 
SlingInitialContentBundleEntryMetaDataCollector(context, converter, 
newBundleFile);
+
+        try {
+            collector.collectFromContextAndWriteTmpFiles();
+            fail("should have failed");
+        } catch (Exception e) {
+            assertEquals(IOException.class,e.getClass());
+            assertTrue("unexpected log 
message",e.getMessage().startsWith("unpacking ../outside.txt (of"));
+        }
+    }
+
+}

Reply via email to