DD-1459 Fix uncontrolled data used in path expression (#132)

* DD-1459 Fix uncontrolled data used in path expression - Test 4A * DD-1459 Fix uncontrolled data used in path expression - Test 4B * DD-1492 dd-manage-deposits improvemnet and fixes for DD-1419 --------- Co-authored-by: Ali Sheikhi <[email protected]> Co-authored-by: Jan van Mansum <[email protected]>
DANS-KNAW · Apr 11, 2024 · 3cb1110 · 3cb1110
1 parent fcd5bf8
commit 3cb1110
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 4 deletions.
diff --git a/src/main/java/nl/knaw/dans/ingest/core/ImportArea.java b/src/main/java/nl/knaw/dans/ingest/core/ImportArea.java
@@ -30,7 +30,6 @@
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.util.List;
-import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
 public class ImportArea extends AbstractIngestArea {
@@ -86,7 +85,7 @@ public String startImport(Path inputPath, boolean isBatch, boolean continuePrevi
     private void validateBatchDirectory(Path input) {
         if (Files.isDirectory(input)) {
             try (Stream<Path> subPaths = Files.list(input)) {
-                List<Path> paths = subPaths.collect(Collectors.toList());
+                List<Path> paths = subPaths.toList();
                 for (Path f : paths) {
                     validateDepositDirectory(f);
                 }
@@ -108,4 +107,12 @@ private void validateDepositDirectory(Path input) {
             throw new IllegalArgumentException(String.format("Directory %s does not contain file deposit.properties. Not a valid deposit directory", input));
         }
     }
+
+    public Path getSecurePath(Path path) throws RuntimeException {
+        Path normalizedPath = path.normalize().toAbsolutePath();
+        if (!normalizedPath.startsWith(this.inboxDir)) {
+            throw new IllegalArgumentException(String.format("InsecurePath %s", normalizedPath));
+        }
+        return normalizedPath;
+    }
 }
diff --git a/src/main/java/nl/knaw/dans/ingest/resources/ImportsResource.java b/src/main/java/nl/knaw/dans/ingest/resources/ImportsResource.java
@@ -47,7 +47,8 @@ public Response startImport(StartImport start) {
         log.debug("Received command = {}", start);
         String batchName;
         try {
-            batchName = importArea.startImport(start.getInputPath(), start.isBatch(), start.isContinue());
+            var securePath = importArea.getSecurePath(start.getInputPath());
+            batchName = importArea.startImport(securePath, start.isBatch(), start.isContinue());
         }
         catch (IllegalArgumentException e) {
             throw new BadRequestException(e.getMessage());

diff --git a/src/main/java/nl/knaw/dans/ingest/resources/MigrationsResource.java b/src/main/java/nl/knaw/dans/ingest/resources/MigrationsResource.java
@@ -47,7 +47,8 @@ public Response startImport(StartImport start) {
         log.info("Received command = {}", start);
         String taskName;
         try {
-            taskName = migrationArea.startImport(start.getInputPath(), start.isBatch(), start.isContinue());
+            var securePath = migrationArea.getSecurePath(start.getInputPath());
+            taskName = migrationArea.startImport(securePath, start.isBatch(), start.isContinue());
         }
         catch (IllegalArgumentException e) {
             throw new BadRequestException(e.getMessage());