Andrea Cosentino created CAMEL-23868:
----------------------------------------
Summary: camel-file: make local work directory / starting
directory containment checks path-boundary aware
Key: CAMEL-23868
URL: https://issues.apache.org/jira/browse/CAMEL-23868
Project: Camel
Issue Type: Improvement
Components: camel-file
Affects Versions: 4.21.0
Reporter: Andrea Cosentino
Assignee: Andrea Cosentino
The containment checks that keep a resolved file path inside a configured
directory use a bare string prefix test:
- GenericFileHelper.jailToLocalWorkDirectory (introduced under CAMEL-23765)
checks compactTarget.startsWith(compactWork).
- GenericFileProducer.jailedCheck uses the same
compactAnswer.startsWith(compactBaseDir) shape.
A bare startsWith does not respect path-segment boundaries. When the compacted
directory string has no trailing separator, a sibling directory whose name
merely extends the configured directory's name (e.g. .../localwork vs
.../localworkEVIL) still satisfies the prefix test even though it is a
different directory. In jailToLocalWorkDirectory the work directory comes from
File.getPath() (no trailing separator), so this edge is reachable; jailedCheck
currently avoids it only incidentally, because baseDir is always normalized
with a trailing separator.
Make both checks path-boundary aware so containment no longer depends on the
incidental presence of a trailing separator:
{code:java}
boolean contained = compactTarget.equals(compactWork)
|| compactTarget.startsWith(compactWork + File.separator);
{code}
Files:
-
components/camel-file/src/main/java/org/apache/camel/component/file/GenericFileHelper.java
-- jailToLocalWorkDirectory
-
components/camel-file/src/main/java/org/apache/camel/component/file/GenericFileProducer.java
-- jailedCheck
Add a GenericFileHelperTest case for a name-prefixed sibling (e.g.
../localworkEVIL/file.txt), which the existing ../-only tests do not exercise.
This continues the containment work introduced in CAMEL-23765.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)