From 4d1e14ac56a5292ff6b319d1f5c508b94634c181 Mon Sep 17 00:00:00 2001 From: Ziheng Sun Date: Sun, 15 Sep 2024 10:01:27 -0400 Subject: [PATCH] Add banner about which folder the table is showing --- .../com/gw/web/ResultBrowserController.java | 22 ++++++++++++++++++- .../content/workspace/result-browser.html | 1 + 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/src/main/java/com/gw/web/ResultBrowserController.java b/src/main/java/com/gw/web/ResultBrowserController.java index 81519d76..9416d977 100644 --- a/src/main/java/com/gw/web/ResultBrowserController.java +++ b/src/main/java/com/gw/web/ResultBrowserController.java @@ -51,6 +51,12 @@ public List> listFiles(@RequestParam(defaultValue = "") Stri Path relativePath = rootLocation.relativize(path); String pathWithSubfolder = subfolder + "/" + relativePath.toString(); pathWithSubfolder = pathWithSubfolder.replaceAll("^/+",""); + + // Check if pathWithSubfolder contains any attempts to go up the directory + Path normalizedSubfolderPath = Paths.get(pathWithSubfolder).normalize(); + if (normalizedSubfolderPath.startsWith("..")) { + throw new SecurityException("Attempt to access outside of the result folder is not allowed."); + } fileDetails.put("name", rootLocation.relativize(path).toString()); // Relative path fileDetails.put("path", pathWithSubfolder); // Relative path @@ -71,8 +77,11 @@ public List> listFiles(@RequestParam(defaultValue = "") Stri // Add formatted last modified time to file details fileDetails.put("modified", formattedDateTime); - } catch (IOException e) { + } catch (IOException e){ e.printStackTrace(); + }catch (SecurityException e) { + System.out.println("Error: " + (e.getMessage() != null ? e.getMessage() : "Unknown error occurred")); + throw e; } return fileDetails; }) @@ -87,6 +96,10 @@ public ResponseEntity downloadFile(@RequestParam String path) { Path filePath = Paths.get(resultfolder).resolve(path).normalize(); System.out.println("File path: " + filePath.toAbsolutePath()); + if (!filePath.startsWith(resultfolder)) { + throw new SecurityException("Attempt to access outside of the result folder is not allowed."); + } + // Create a FileSystemResource instead of UrlResource Resource resource = new FileSystemResource(filePath.toFile()); if (resource.exists() || resource.isReadable()) { @@ -99,6 +112,9 @@ public ResponseEntity downloadFile(@RequestParam String path) { } else { return ResponseEntity.status(HttpStatus.NOT_FOUND).build(); } + }catch (SecurityException e) { + System.out.println("Error: " + (e.getMessage() != null ? e.getMessage() : "Unknown error occurred")); + throw e; } catch (Exception e) { return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).build(); } @@ -112,6 +128,10 @@ public ResponseEntity serveFile(@PathVariable String filename) { Path filePath = Paths.get(resultfolder).resolve(filename).normalize(); System.out.println("File path: " + filePath.toAbsolutePath()); + if (!filePath.startsWith(resultfolder)) { + throw new SecurityException("Attempt to access outside of the result folder is not allowed."); + } + // Create a FileSystemResource instead of UrlResource Resource resource = new FileSystemResource(filePath.toFile()); if (resource.exists() || resource.isReadable()) { diff --git a/src/main/resources/templates/fragments/content/workspace/result-browser.html b/src/main/resources/templates/fragments/content/workspace/result-browser.html index fc8b024a..4bdc214c 100644 --- a/src/main/resources/templates/fragments/content/workspace/result-browser.html +++ b/src/main/resources/templates/fragments/content/workspace/result-browser.html @@ -4,6 +4,7 @@
+ Files in $HOME/gw-workflow/results