This is an automated email from the ASF dual-hosted git repository.
btellier pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/james-project.git
The following commit(s) were added to refs/heads/master by this push:
new 7e07622 JAMES-3646 Rely on Java NIO Paths for file validation (#789)
7e07622 is described below
commit 7e07622acd86101d0043c9048b971e2fbeec47f6
Author: Benoit TELLIER <[email protected]>
AuthorDate: Mon Dec 13 08:21:58 2021 +0700
JAMES-3646 Rely on Java NIO Paths for file validation (#789)
---
.../james/server/core/filesystem/ResourceFactory.java | 14 +++++++++-----
.../java/org/apache/james/filesystem/api/FileSystem.java | 9 +++++----
.../spring/resource/DefaultJamesResourceLoader.java | 11 ++++-------
3 files changed, 18 insertions(+), 16 deletions(-)
diff --git
a/server/container/core/src/main/java/org/apache/james/server/core/filesystem/ResourceFactory.java
b/server/container/core/src/main/java/org/apache/james/server/core/filesystem/ResourceFactory.java
index bb2b740..bdafd50 100644
---
a/server/container/core/src/main/java/org/apache/james/server/core/filesystem/ResourceFactory.java
+++
b/server/container/core/src/main/java/org/apache/james/server/core/filesystem/ResourceFactory.java
@@ -22,6 +22,8 @@ import java.io.File;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
+import java.nio.file.Path;
+import java.nio.file.Paths;
import org.apache.james.filesystem.api.FileSystem;
import org.apache.james.filesystem.api.JamesDirectoriesProvider;
@@ -35,12 +37,14 @@ public class ResourceFactory {
}
public void validate(File file) throws IOException {
- String canonicalPath = file.getCanonicalPath();
- if (!canonicalPath.startsWith(directoryProvider.getAbsoluteDirectory())
- && !canonicalPath.startsWith(directoryProvider.getRootDirectory())
- && !canonicalPath.startsWith(directoryProvider.getVarDirectory()))
{
+ Path resourcePath = file.toPath().normalize();
+ if
(!resourcePath.startsWith(Paths.get(directoryProvider.getConfDirectory()).normalize())
+ &&
!resourcePath.startsWith(Paths.get(directoryProvider.getRootDirectory()).normalize())
+ &&
!resourcePath.startsWith(Paths.get(directoryProvider.getVarDirectory()).normalize()))
{
- throw new IOException(canonicalPath + " jail break outside of " +
directoryProvider.getRootDirectory());
+ throw new IOException(String.format("%s path is not part of
allowed resource locations: %s, %s, %s",
+ resourcePath.toFile().getCanonicalPath(),
directoryProvider.getConfDirectory(), directoryProvider.getRootDirectory(),
+ directoryProvider.getVarDirectory()));
}
}
diff --git
a/server/container/filesystem-api/src/main/java/org/apache/james/filesystem/api/FileSystem.java
b/server/container/filesystem-api/src/main/java/org/apache/james/filesystem/api/FileSystem.java
index 96f095b..792c820 100644
---
a/server/container/filesystem-api/src/main/java/org/apache/james/filesystem/api/FileSystem.java
+++
b/server/container/filesystem-api/src/main/java/org/apache/james/filesystem/api/FileSystem.java
@@ -23,6 +23,7 @@ import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
+import java.nio.file.Path;
/**
* This service is used by components that wants to lookup a File resource from
@@ -85,11 +86,11 @@ public interface FileSystem {
* Similar to getFile but enforces the file to be within baseDir
*/
default File getFileWithinBaseDir(String fileURL) throws
FileNotFoundException, IOException {
- File file = getFile(fileURL);
- if
(file.getCanonicalPath().startsWith(getBasedir().getCanonicalPath())) {
- return file;
+ Path path = getFile(fileURL).toPath().normalize();
+ if (path.startsWith(getBasedir().toPath().normalize())) {
+ return path.toFile();
}
- throw new IOException(fileURL + " -> " + file.getCanonicalPath() + "
jail break outside of " + getBasedir().getCanonicalPath());
+ throw new IOException(fileURL + " -> " +
path.toFile().getCanonicalPath() + " jail break outside of " +
getBasedir().getCanonicalPath());
}
/**
diff --git
a/server/container/spring/src/main/java/org/apache/james/container/spring/resource/DefaultJamesResourceLoader.java
b/server/container/spring/src/main/java/org/apache/james/container/spring/resource/DefaultJamesResourceLoader.java
index 1773a85..85c1bd5 100644
---
a/server/container/spring/src/main/java/org/apache/james/container/spring/resource/DefaultJamesResourceLoader.java
+++
b/server/container/spring/src/main/java/org/apache/james/container/spring/resource/DefaultJamesResourceLoader.java
@@ -23,6 +23,7 @@ import java.io.IOException;
import org.apache.james.filesystem.api.FileSystem;
import org.apache.james.filesystem.api.JamesDirectoriesProvider;
+import org.apache.james.server.core.filesystem.ResourceFactory;
import org.springframework.context.ApplicationContext;
import org.springframework.core.io.ClassPathResource;
import org.springframework.core.io.DefaultResourceLoader;
@@ -36,20 +37,16 @@ import org.springframework.core.io.Resource;
public class DefaultJamesResourceLoader extends DefaultResourceLoader
implements JamesResourceLoader {
private final JamesDirectoriesProvider jamesDirectoriesProvider;
+ private final ResourceFactory resourceFactory;
public DefaultJamesResourceLoader(JamesDirectoriesProvider
jamesDirectoriesProvider) {
this.jamesDirectoriesProvider = jamesDirectoriesProvider;
+ this.resourceFactory = new ResourceFactory(jamesDirectoriesProvider);
}
@Override
public void validate(File file) throws IOException {
- String canonicalPath = file.getCanonicalPath();
- if
(!canonicalPath.startsWith(jamesDirectoriesProvider.getAbsoluteDirectory())
- &&
!canonicalPath.startsWith(jamesDirectoriesProvider.getRootDirectory())
- &&
!canonicalPath.startsWith(jamesDirectoriesProvider.getVarDirectory())) {
-
- throw new IOException(canonicalPath + " jail break outside of " +
jamesDirectoriesProvider.getRootDirectory());
- }
+ resourceFactory.validate(file);
}
/**
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
