Remove unplanned path traversal feature

2026-04-12 19:23:58 +02:00
parent b50ceff57e
commit 58cbd6b56d
4 changed files with 26 additions and 0 deletions
--- a/src/main/java/sh/rhiobet/lalafin/api/FilePrivateAPI.java
+++ b/src/main/java/sh/rhiobet/lalafin/api/FilePrivateAPI.java
@@ -52,6 +52,10 @@ public class FilePrivateAPI {
    @Path("/{names: .+}")
    @Produces(MediaType.APPLICATION_JSON)
    public Response getFileInfo(List<PathSegment> names) {
+        if (roleAccessService.hasEncodedPathSeparator(names)) {
+            return Response.status(Response.Status.BAD_REQUEST).build();
+        }
+
        if (!roleAccessService.checkRouteAccess(securityIdentity.getRoles(), names)
                || !adventAccessService.checkEventAccess(names)) {
            return Response.status(Response.Status.FORBIDDEN).build();
--- a/src/main/java/sh/rhiobet/lalafin/api/internal/RoleAccessService.java
+++ b/src/main/java/sh/rhiobet/lalafin/api/internal/RoleAccessService.java
@@ -1,5 +1,7 @@
 package sh.rhiobet.lalafin.api.internal;

+import java.net.URLDecoder;
+import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Set;
@@ -15,6 +17,18 @@ public class RoleAccessService {
    @Inject
    FileApiConfiguration fileApiConfiguration;

+    public boolean hasEncodedPathSeparator(final List<PathSegment> names) {
+        return names.stream().anyMatch(s -> {
+            String current = s.getPath();
+            while (true) {
+                String decoded = URLDecoder.decode(current, StandardCharsets.UTF_8);
+                if (decoded.equals(current)) break;
+                current = decoded;
+            }
+            return current.contains("/") || current.contains("\0") || current.equals("..") || current.equals(".");
+        });
+    }
+
    public boolean checkRouteAccess(final Set<String> userRoles, final List<PathSegment> names) {
        List<Route> matchingRoutes = new ArrayList<>();
        for (Route route : fileApiConfiguration.routes()) {
--- a/src/main/java/sh/rhiobet/lalafin/file/FileResource.java
+++ b/src/main/java/sh/rhiobet/lalafin/file/FileResource.java
@@ -59,6 +59,10 @@ public class FileResource {
    @GET
    @Path("/{names: .+}")
    public Response serve(List<PathSegment> names, @HeaderParam("Range") String range) {
+        if (roleAccessService.hasEncodedPathSeparator(names)) {
+            return Response.status(Response.Status.BAD_REQUEST).build();
+        }
+
        if (!roleAccessService.checkRouteAccess(securityIdentity.getRoles(), names)
                || !adventAccessService.checkEventAccess(names)) {
            return Response.status(Response.Status.FORBIDDEN).build();
--- a/src/main/java/sh/rhiobet/lalafin/file/ViewerResource.java
+++ b/src/main/java/sh/rhiobet/lalafin/file/ViewerResource.java
@@ -45,6 +45,10 @@ public class ViewerResource {
    @GET
    @Path("/{names: .+}/{page}")
    public Response view(List<PathSegment> names, int page) {
+        if (roleAccessService.hasEncodedPathSeparator(names)) {
+            return Response.status(Response.Status.BAD_REQUEST).build();
+        }
+
        if (!roleAccessService.checkRouteAccess(securityIdentity.getRoles(), names)
                || !adventAccessService.checkEventAccess(names)) {
            return Response.status(Response.Status.FORBIDDEN).build();