#223 and #224

CondationCMS · Aug 5, 2024 · 3732258 · 3732258
1 parent 173e2fa
commit 3732258
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 4 deletions.
diff --git a/cms-filesystem/src/main/java/com/github/thmarx/cms/filesystem/FileSystem.java b/cms-filesystem/src/main/java/com/github/thmarx/cms/filesystem/FileSystem.java
@@ -34,6 +34,7 @@
 import com.github.thmarx.cms.api.eventbus.events.ReIndexContentMetaDataEvent;
 import com.github.thmarx.cms.api.eventbus.events.TemplateChangedEvent;
 import com.github.thmarx.cms.api.utils.PathUtil;
+import com.github.thmarx.cms.filesystem.exceptions.AccessNotAllowedException;
 import com.github.thmarx.cms.filesystem.metadata.AbstractMetaData;
 import com.github.thmarx.cms.filesystem.metadata.persistent.PersistentMetaData;
 import java.io.IOException;
@@ -115,7 +116,11 @@ public void shutdown() {
 
 	@Override
 	public Path resolve(String path) {
-		return hostBaseDirectory.resolve(path);
+		final Path resolved = hostBaseDirectory.resolve(path);
+		if (!PathUtil.isChild(hostBaseDirectory, resolved)) {
+			throw new AccessNotAllowedException("access outside host package not allowed");
+		}
+		return resolved;
 	}
 
 	@Override

diff --git a/.../src/main/java/com/github/thmarx/cms/filesystem/exceptions/AccessNotAllowedException.java b/.../src/main/java/com/github/thmarx/cms/filesystem/exceptions/AccessNotAllowedException.java
@@ -0,0 +1,45 @@
+package com.github.thmarx.cms.filesystem.exceptions;
+
+/*-
+ * #%L
+ * cms-filesystem
+ * %%
+ * Copyright (C) 2023 - 2024 Marx-Software
+ * %%
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public
+ * License along with this program.  If not, see
+ * <http://www.gnu.org/licenses/gpl-3.0.html>.
+ * #L%
+ */
+
+/**
+ *
+ * @author t.marx
+ */
+public class AccessNotAllowedException extends RuntimeException {
+
+	/**
+	 * Creates a new instance of <code>AccessNotAllowedException</code> without detail message.
+	 */
+	public AccessNotAllowedException() {
+	}
+
+	/**
+	 * Constructs an instance of <code>AccessNotAllowedException</code> with the specified detail message.
+	 *
+	 * @param msg the detail message.
+	 */
+	public AccessNotAllowedException(String msg) {
+		super(msg);
+	}
+}
diff --git a/cms-filesystem/src/test/java/com/github/thmarx/cms/filesystem/PresistentFileSystemTest.java b/cms-filesystem/src/test/java/com/github/thmarx/cms/filesystem/PresistentFileSystemTest.java
@@ -26,10 +26,8 @@
 import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
-import org.assertj.core.api.Assertions;
 import org.junit.jupiter.api.AfterAll;
 import org.junit.jupiter.api.BeforeAll;
-import org.junit.jupiter.api.Test;
 import org.mockito.Mockito;
 import org.yaml.snakeyaml.Yaml;
 

diff --git a/pom.xml b/pom.xml
@@ -11,7 +11,7 @@
 		<maven.compiler.target>21</maven.compiler.target>
 		<exec.mainClass>com.github.thmarx.cms.Startup</exec.mainClass>
 		<maven.build.timestamp.format>yyyy-MM-dd HH:mm</maven.build.timestamp.format>
-		<jetty.version>12.0.11</jetty.version>
+		<jetty.version>12.0.12</jetty.version>
 	</properties>
 	<modules>
 		<module>cms-api</module>