digi-scrypt opened a new pull request, #2873: URL: https://github.com/apache/tika/pull/2873
Assay reads in the ISA-Tab parser trust a file name straight from the parsed document: - parseAssay loops over every "Study Assay File Name" value pulled out of the investigation file and joins it onto the location dir with no containment - the value is attacker controlled, so "../../../etc/passwd" makes the parser open and stream a file from outside the archive folder into the output What happens with a relative name that climbs out? Before this it just followed it. resolveWithinLocation now canonicalizes the candidate and rejects anything that doesn't sit under location (also closes the symlink variant). Test crafts an investigation pointing an assay at a sibling secret file and checks it no longer leaks. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
