From b1e891a9e5eeadfa1d779ae50f21c73efe4d2fc7 Mon Sep 17 00:00:00 2001 From: Benoit Tellier Date: Wed, 26 Jan 2022 14:28:00 +0700 Subject: [PATCH] CVE-2022-22931 JAMES-3646 Rely on strong typing for file paths operations --- .../james/sieverepository/file/SieveFileRepository.java | 8 ++------ .../sieverepository/file/SieveFileRepositoryTest.java | 9 +++++++++ 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/server/data/data-file/src/main/java/org/apache/james/sieverepository/file/SieveFileRepository.java b/server/data/data-file/src/main/java/org/apache/james/sieverepository/file/SieveFileRepository.java index 26baf986093..b70496b6b30 100644 --- a/server/data/data-file/src/main/java/org/apache/james/sieverepository/file/SieveFileRepository.java +++ b/server/data/data-file/src/main/java/org/apache/james/sieverepository/file/SieveFileRepository.java @@ -316,12 +316,8 @@ protected File getUserDirectory(Username username) throws StorageException { } private void enforceRoot(File file) throws StorageException { - try { - if (!file.getCanonicalPath().startsWith(root.getCanonicalPath())) { - throw new StorageException(new IllegalStateException("Path traversal attempted")); - } - } catch (IOException e) { - throw new StorageException(e); + if (!file.toPath().normalize().startsWith(root.toPath().normalize())) { + throw new StorageException(new IllegalStateException("Path traversal attempted")); } } diff --git a/server/data/data-file/src/test/java/org/apache/james/sieverepository/file/SieveFileRepositoryTest.java b/server/data/data-file/src/test/java/org/apache/james/sieverepository/file/SieveFileRepositoryTest.java index e6b4f17a3c3..1077ec8e3ef 100644 --- a/server/data/data-file/src/test/java/org/apache/james/sieverepository/file/SieveFileRepositoryTest.java +++ b/server/data/data-file/src/test/java/org/apache/james/sieverepository/file/SieveFileRepositoryTest.java @@ -84,4 +84,13 @@ void getScriptShouldNotAllowToReadScriptsOfOtherUsers() throws Exception { new ScriptName("../other/script"))) .isInstanceOf(StorageException.class); } + + @Test + void getScriptShouldNotAllowToReadScriptsOfOtherUsersWhenPrefix() throws Exception { + sieveRepository().putScript(Username.of("testa"), new ScriptName("script"), new ScriptContent("PWND!!!")); + + assertThatThrownBy(() -> sieveRepository().getScript(Username.of("test"), + new ScriptName("../other/script"))) + .isInstanceOf(StorageException.class); + } }