Skip to content
This repository has been archived by the owner on Jan 9, 2025. It is now read-only.

DD-1459 Fix uncontrolled data used in path expression #132

Merged
merged 7 commits into from
Apr 11, 2024
Merged

DD-1459 Fix uncontrolled data used in path expression #132

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
34c0813
DD-1459 Fix uncontrolled data used in path expression - Test 4A
Apr 2, 2024
ff0557b
DD-1459 Fix uncontrolled data used in path expression - Test 4B
Apr 2, 2024
d58af96
Merge branch 'master' into DD-1459-Fix-Uncontrolled-data-used-in-path…
janvanmansum Apr 8, 2024
e0af15b
Merge branch 'master' into DD-1459-Fix-Uncontrolled-data-used-in-path…
janvanmansum Apr 8, 2024
900ca2c
DD-1492 dd-manage-deposits improvemnet and fixes for DD-1419
Apr 9, 2024
ad77d69
Merge remote-tracking branch 'origin/master' into DD-1459-Fix-Uncontr…
Apr 9, 2024
c6be8c0
Merge remote-tracking branch 'my-fork/DD-1459-Fix-Uncontrolled-data-u…
Apr 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 9 additions & 2 deletions src/main/java/nl/knaw/dans/ingest/core/ImportArea.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,6 @@
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.List;
import java.util.stream.Collectors;
import java.util.stream.Stream;

public class ImportArea extends AbstractIngestArea {
Expand Down Expand Up @@ -86,7 +85,7 @@ public String startImport(Path inputPath, boolean isBatch, boolean continuePrevi
private void validateBatchDirectory(Path input) {
if (Files.isDirectory(input)) {
try (Stream<Path> subPaths = Files.list(input)) {
List<Path> paths = subPaths.collect(Collectors.toList());
List<Path> paths = subPaths.toList();
for (Path f : paths) {
validateDepositDirectory(f);
}
Expand All @@ -108,4 +107,12 @@ private void validateDepositDirectory(Path input) {
throw new IllegalArgumentException(String.format("Directory %s does not contain file deposit.properties. Not a valid deposit directory", input));
}
}

public Path getSecurePath(Path path) throws RuntimeException {
Path normalizedPath = path.normalize().toAbsolutePath();
if (!normalizedPath.startsWith(this.inboxDir)) {
throw new IllegalArgumentException(String.format("InsecurePath %s", normalizedPath));
}
return normalizedPath;
}
}
3 changes: 2 additions & 1 deletion src/main/java/nl/knaw/dans/ingest/resources/ImportsResource.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,8 @@ public Response startImport(StartImport start) {
log.debug("Received command = {}", start);
String batchName;
try {
batchName = importArea.startImport(start.getInputPath(), start.isBatch(), start.isContinue());
java.nio.file.Path securePath = importArea.getSecurePath(start.getInputPath());
janvanmansum marked this conversation as resolved.
Show resolved Hide resolved
batchName = importArea.startImport(securePath, start.isBatch(), start.isContinue());
}
catch (IllegalArgumentException e) {
throw new BadRequestException(e.getMessage());
Expand Down
3 changes: 2 additions & 1 deletion src/main/java/nl/knaw/dans/ingest/resources/MigrationsResource.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,8 @@ public Response startImport(StartImport start) {
log.info("Received command = {}", start);
String taskName;
try {
taskName = migrationArea.startImport(start.getInputPath(), start.isBatch(), start.isContinue());
java.nio.file.Path securePath = migrationArea.getSecurePath(start.getInputPath());
janvanmansum marked this conversation as resolved.
Show resolved Hide resolved
taskName = migrationArea.startImport(securePath, start.isBatch(), start.isContinue());
}
catch (IllegalArgumentException e) {
throw new BadRequestException(e.getMessage());
Expand Down
Loading