[sling-org-apache-sling-resourcebuilder] 13/36: SLING-5356 - reject .. in paths

[rombert]

This is an automated email from the ASF dual-hosted git repository.

rombert pushed a commit to annotated tag org.apache.sling.resourcebuilder-1.0.0
in repository 
https://gitbox.apache.org/repos/asf/sling-org-apache-sling-resourcebuilder.git

commit 296f03817ebeb2794a6c82cf4e9383494bbf9c9d
Author: Bertrand Delacretaz <bdelacre...@apache.org>
AuthorDate: Fri Dec 11 14:30:27 2015 +0000

    SLING-5356 - reject .. in paths
    
    git-svn-id: 
https://svn.apache.org/repos/asf/sling/trunk/bundles/commons/resourcebuilder@1719430
 13f79535-47bb-0310-9956-ffa450edef68
---
 .../org/apache/sling/resourcebuilder/impl/ResourceBuilderImpl.java   | 3 +++
 .../apache/sling/resourcebuilder/impl/ResourceBuilderImplTest.java   | 5 +++++
 2 files changed, 8 insertions(+)

diff --git 
a/src/main/java/org/apache/sling/resourcebuilder/impl/ResourceBuilderImpl.java 
b/src/main/java/org/apache/sling/resourcebuilder/impl/ResourceBuilderImpl.java
index 0abd07d..6d356f1 100644
--- 
a/src/main/java/org/apache/sling/resourcebuilder/impl/ResourceBuilderImpl.java
+++ 
b/src/main/java/org/apache/sling/resourcebuilder/impl/ResourceBuilderImpl.java
@@ -77,6 +77,9 @@ public class ResourceBuilderImpl implements ResourceBuilder {
         if(relativePath.startsWith("/")) {
             throw new IllegalArgumentException("Path is not relative:" + 
relativePath);
         }
+        if(relativePath.contains("..")) {
+            throw new IllegalArgumentException("Path contains invalid pattern 
'..': " + relativePath);
+        }
         
         final String fullPath = currentParent.getPath() + "/" + relativePath;
         final String parentPath = ResourceUtil.getParent(fullPath);
diff --git 
a/src/test/java/org/apache/sling/resourcebuilder/impl/ResourceBuilderImplTest.java
 
b/src/test/java/org/apache/sling/resourcebuilder/impl/ResourceBuilderImplTest.java
index b054a2e..189a3c1 100644
--- 
a/src/test/java/org/apache/sling/resourcebuilder/impl/ResourceBuilderImplTest.java
+++ 
b/src/test/java/org/apache/sling/resourcebuilder/impl/ResourceBuilderImplTest.java
@@ -189,6 +189,11 @@ public class ResourceBuilderImplTest {
         getBuilder(testRootPath).resource("/absolute");
     }
     
+    @Test(expected=IllegalArgumentException.class)
+    public void aboveParentFails() throws Exception {
+        getBuilder(testRootPath).resource("../foo");
+    }
+    
     @Test
     public void simpleTree() throws Exception {
         getBuilder(testRootPath)

-- 
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <commits@sling.apache.org>.