[ 
https://issues.apache.org/jira/browse/CAMEL-23868?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18092934#comment-18092934
 ] 

Andrea Cosentino commented on CAMEL-23868:
------------------------------------------

This hardening also needs backporting to the active maintenance lines: the 
containment check introduced in CAMEL-23765 
(GenericFileHelper.jailToLocalWorkDirectory) is present on both camel-4.18.x 
and camel-4.14.x.

fixVersions set so far: 4.22.0 (main) and 4.18.4. The 4.14.x target (4.14.9) is 
not yet created in Jira (4.14.8 is currently on vote), so it will be added as a 
fixVersion once that version exists.

_Claude Code on behalf of Andrea Cosentino_

> camel-file: make local work directory / starting directory containment checks 
> path-boundary aware
> -------------------------------------------------------------------------------------------------
>
>                 Key: CAMEL-23868
>                 URL: https://issues.apache.org/jira/browse/CAMEL-23868
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-file
>    Affects Versions: 4.21.0
>            Reporter: Andrea Cosentino
>            Assignee: Andrea Cosentino
>            Priority: Major
>             Fix For: 4.18.4, 4.22.0
>
>
> The containment checks that keep a resolved file path inside a configured 
> directory use a bare string prefix test:
> - GenericFileHelper.jailToLocalWorkDirectory (introduced under CAMEL-23765) 
> checks compactTarget.startsWith(compactWork).
> - GenericFileProducer.jailedCheck uses the same 
> compactAnswer.startsWith(compactBaseDir) shape.
> A bare startsWith does not respect path-segment boundaries. When the 
> compacted directory string has no trailing separator, a sibling directory 
> whose name merely extends the configured directory's name (e.g. .../localwork 
> vs .../localworkEVIL) still satisfies the prefix test even though it is a 
> different directory. In jailToLocalWorkDirectory the work directory comes 
> from File.getPath() (no trailing separator), so this edge is reachable; 
> jailedCheck currently avoids it only incidentally, because baseDir is always 
> normalized with a trailing separator.
> Make both checks path-boundary aware so containment no longer depends on the 
> incidental presence of a trailing separator:
> {code:java}
> boolean contained = compactTarget.equals(compactWork)
>         || compactTarget.startsWith(compactWork + File.separator);
> {code}
> Files:
> - 
> components/camel-file/src/main/java/org/apache/camel/component/file/GenericFileHelper.java
>  -- jailToLocalWorkDirectory
> - 
> components/camel-file/src/main/java/org/apache/camel/component/file/GenericFileProducer.java
>  -- jailedCheck
> Add a GenericFileHelperTest case for a name-prefixed sibling (e.g. 
> ../localworkEVIL/file.txt), which the existing ../-only tests do not exercise.
> This continues the containment work introduced in CAMEL-23765.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to