CVE-2022-22931 JAMES-3646 Rely on strong typing for file paths operat…

…ions (#877)
apache · Feb 9, 2022 · 7d22c6f · 7d22c6f
1 parent c4a775e
commit 7d22c6f
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 6 deletions.
diff --git a/...ta/data-file/src/main/java/org/apache/james/sieverepository/file/SieveFileRepository.java b/...ta/data-file/src/main/java/org/apache/james/sieverepository/file/SieveFileRepository.java
@@ -316,12 +316,8 @@ protected File getUserDirectory(Username username) throws StorageException {
     }
 
     private void enforceRoot(File file) throws StorageException {
-        try {
-            if (!file.getCanonicalPath().startsWith(root.getCanonicalPath())) {
-                throw new StorageException(new IllegalStateException("Path traversal attempted"));
-            }
-        } catch (IOException e) {
-            throw new StorageException(e);
+        if (!file.toPath().normalize().startsWith(root.toPath().normalize())) {
+            throw new StorageException(new IllegalStateException("Path traversal attempted"));
         }
     }
 

diff --git a/...ata-file/src/test/java/org/apache/james/sieverepository/file/SieveFileRepositoryTest.java b/...ata-file/src/test/java/org/apache/james/sieverepository/file/SieveFileRepositoryTest.java
@@ -84,4 +84,13 @@ void getScriptShouldNotAllowToReadScriptsOfOtherUsers() throws Exception {
                 new ScriptName("../other/script")))
             .isInstanceOf(StorageException.class);
     }
+
+    @Test
+    void getScriptShouldNotAllowToReadScriptsOfOtherUsersWhenPrefix() throws Exception {
+        sieveRepository().putScript(Username.of("testa"), new ScriptName("script"), new ScriptContent("PWND!!!"));
+
+        assertThatThrownBy(() ->  sieveRepository().getScript(Username.of("test"),
+            new ScriptName("../other/script")))
+            .isInstanceOf(StorageException.class);
+    }
 }