Andrea Cosentino created CAMEL-23765:
----------------------------------------
Summary: camel-ftp/sftp/mina-sftp/azure-files/smb: contain
localWorkDirectory downloads within the work directory
Key: CAMEL-23765
URL: https://issues.apache.org/jira/browse/CAMEL-23765
Project: Camel
Issue Type: Improvement
Components: camel-ftp
Reporter: Andrea Cosentino
Assignee: Andrea Cosentino
Fix For: 4.21.0, 4.18.3, 4.14.8
When localWorkDirectory is enabled, the remote-file consumers build the local
work file path from the remote file name without ensuring the result stays
within the configured work directory - unlike the file producer, which jails
via FileUtil.compactPath + startsWith when jailStartingDirectory=true. This
proposes adding the same containment check to the localWorkDirectory download
path in camel-ftp (FTP and SFTP), camel-mina-sftp, camel-azure-files and
camel-smb, so a remote file name cannot resolve outside the work directory.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
