ppkarwasz commented on PR #805:
URL: https://github.com/apache/commons-io/pull/805#issuecomment-3419766717
This API needs a clear security model: is it intended for reading existing
files, creating new files or both?
The path resolution strategy should change depending on the use case:
1. **Reading trusted configuration files**
When reading from trusted system locations (e.g. configuration directories
managed by sysadmins), we typically must allow symlinks. Example: On Debian,
`CATALINA_BASE` is `/var/lib/tomcat`, but `/var/lib/tomcat/conf` is a symlink
to `/etc/tomcat`, which should be allowed.
2. **Reading files from untrusted user input**
For user-supplied paths, following symlinks can enable path traversal
attacks. In this case, symlinks should generally **not be followed**.
At the moment, the class performs only **syntactic** path validation using
`path.toAbsolutePath().normalize()`. This is sufficient for trusted
environments (e.g. system-managed configuration directories), but it does
**not** call `Path.toRealPath()`, which resolves symlinks. As a result, when
used with a root directory that may contain **untrusted content**, it can be
bypassed by symlink-based path traversal attacks.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
