From 728ff3e71ecd990963744491dd0b82de9db28b67 Mon Sep 17 00:00:00 2001
From: "shuki.avraham" <shuki.avraham@whitesourcesoftware.com>
Date: Thu, 12 May 2022 18:08:19 +0300
Subject: [PATCH 1/2] CureKit-ghsa-fvf5-grm7-538p adding trailing separator to
 base dir if not present in methon isFileOutsideDir

---
 .../Maven__org_owasp_encoder_encoder_1_2_3.xml      | 13 -------------
 .../java/io/whitesource/cure/FileSecurityUtils.java |  9 ++++++++-
 2 files changed, 8 insertions(+), 14 deletions(-)
 delete mode 100644 .idea/libraries/Maven__org_owasp_encoder_encoder_1_2_3.xml

diff --git a/.idea/libraries/Maven__org_owasp_encoder_encoder_1_2_3.xml b/.idea/libraries/Maven__org_owasp_encoder_encoder_1_2_3.xml
deleted file mode 100644
index d6959d0..0000000
--- a/.idea/libraries/Maven__org_owasp_encoder_encoder_1_2_3.xml
+++ /dev/null
@@ -1,13 +0,0 @@
-<component name="libraryTable">
-  <library name="Maven: org.owasp.encoder:encoder:1.2.3">
-    <CLASSES>
-      <root url="jar://$MAVEN_REPOSITORY$/org/owasp/encoder/encoder/1.2.3/encoder-1.2.3.jar!/" />
-    </CLASSES>
-    <JAVADOC>
-      <root url="jar://$MAVEN_REPOSITORY$/org/owasp/encoder/encoder/1.2.3/encoder-1.2.3-javadoc.jar!/" />
-    </JAVADOC>
-    <SOURCES>
-      <root url="jar://$MAVEN_REPOSITORY$/org/owasp/encoder/encoder/1.2.3/encoder-1.2.3-sources.jar!/" />
-    </SOURCES>
-  </library>
-</component>
\ No newline at end of file
diff --git a/src/main/java/io/whitesource/cure/FileSecurityUtils.java b/src/main/java/io/whitesource/cure/FileSecurityUtils.java
index 7444a9b..3921104 100644
--- a/src/main/java/io/whitesource/cure/FileSecurityUtils.java
+++ b/src/main/java/io/whitesource/cure/FileSecurityUtils.java
@@ -22,7 +22,14 @@ public static boolean isFileOutsideDir(
           @NonNull final String filePath, @NonNull final String baseDirPath) throws IOException {
     File file = new File(filePath);
     File baseDir = new File(baseDirPath);
-    return !file.getCanonicalPath().startsWith(baseDir.getCanonicalPath());
+    return !file.getCanonicalPath().startsWith(addTrailingSeparator(baseDir.getCanonicalPath()));
+  }
+
+  private static String addTrailingSeparator(String path) {
+    if (!path.endsWith(File.separator)) {
+      return path + File.separator;
+    }
+    return path;
   }
 
   /**

From 77e276de00ef1b5a3c927709db72ef75b866b06a Mon Sep 17 00:00:00 2001
From: "shuki.avraham" <shuki.avraham@whitesourcesoftware.com>
Date: Sat, 14 May 2022 10:57:33 +0300
Subject: [PATCH 2/2] Replace String::startsWith with Path::startsWith in
 isFileOutsideDir + unit test

---
 src/main/java/io/whitesource/cure/FileSecurityUtils.java | 9 +--------
 .../java/io/whitesource/cure/FileSecurityUtilsTests.java | 7 +++++++
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/main/java/io/whitesource/cure/FileSecurityUtils.java b/src/main/java/io/whitesource/cure/FileSecurityUtils.java
index 3921104..8275f64 100644
--- a/src/main/java/io/whitesource/cure/FileSecurityUtils.java
+++ b/src/main/java/io/whitesource/cure/FileSecurityUtils.java
@@ -22,14 +22,7 @@ public static boolean isFileOutsideDir(
           @NonNull final String filePath, @NonNull final String baseDirPath) throws IOException {
     File file = new File(filePath);
     File baseDir = new File(baseDirPath);
-    return !file.getCanonicalPath().startsWith(addTrailingSeparator(baseDir.getCanonicalPath()));
-  }
-
-  private static String addTrailingSeparator(String path) {
-    if (!path.endsWith(File.separator)) {
-      return path + File.separator;
-    }
-    return path;
+    return !file.getCanonicalFile().toPath().startsWith(baseDir.getCanonicalFile().toPath());
   }
 
   /**
diff --git a/src/test/java/io/whitesource/cure/FileSecurityUtilsTests.java b/src/test/java/io/whitesource/cure/FileSecurityUtilsTests.java
index 5ec5703..be28742 100644
--- a/src/test/java/io/whitesource/cure/FileSecurityUtilsTests.java
+++ b/src/test/java/io/whitesource/cure/FileSecurityUtilsTests.java
@@ -50,6 +50,13 @@ void normalize_validInput_successfullyWithResult() {
     Assertions.assertEquals(expectedResult, actualResult);
   }
 
+  @Test
+  void isFileOutsideDirStartsWithTest() throws IOException {
+    String taintedInput = "/usr/foo/../foo-bar/bar";
+    String baseDir = "/usr/foo";
+    Assertions.assertTrue(FileSecurityUtils.isFileOutsideDir(taintedInput, baseDir));
+  }
+
   @Test
   void normalize_null_successfully() {
     Assertions.assertNull(FileSecurityUtils.normalize(null));