DD-1459 Fix uncontrolled data used in path expression - Test 2A

DANS-KNAW · Apr 2, 2024 · c373f22 · c373f22
1 parent ced6bf4
commit c373f22
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/src/main/java/nl/knaw/dans/ingest/core/AbstractIngestArea.java b/src/main/java/nl/knaw/dans/ingest/core/AbstractIngestArea.java
@@ -80,4 +80,11 @@ protected void initOutbox(Path outbox, boolean allowNonEmpty) {
             throw new IllegalArgumentException("cannot initialize outbox for batch at " + outbox, e);
         }
     }
+
+    public void checkBaseFolderSecurity(Path path) throws RuntimeException {
+        Path toCheckPath = path.normalize().toAbsolutePath();
+        if (!toCheckPath.startsWith(this.inboxDir)) {
+            throw new IllegalArgumentException(String.format("InsecurePath %s", toCheckPath));
+        }
+    }
 }
diff --git a/src/main/java/nl/knaw/dans/ingest/resources/ImportsResource.java b/src/main/java/nl/knaw/dans/ingest/resources/ImportsResource.java
@@ -46,6 +46,7 @@ public ImportsResource(ImportArea importArea) {
     public Response startImport(StartImport start) {
         log.debug("Received command = {}", start);
         String batchName;
+        importArea.checkBaseFolderSecurity(start.getInputPath());
         try {
             batchName = importArea.startImport(start.getInputPath(), start.isBatch(), start.isContinue());
         }