Filtering upwards path traversal in Java (or Scala) [closed]

Answer 1

You do not need to use a third-party library to do this. The file APIs that Java provides give you the ability to verify that a file is a descendent of another.

Path.resolve(String) will resolve parent directory references, absolute, and relative paths. If an absolute path is passed as an argument to the resolve method it returns the absolute path. It does not guarantee that the returned value is a descendent of the path the method was invoked on.

You can check that a path is a descendent of another path by using the Path.startsWith(Path) method.

Path root = java.nio.file.Files.createTempDirectory(null);
Path relative = root.resolve(pathAsString).normalize();
if (!relative.startsWith(root)) {
    throw new IllegalArgumentException("Path contains invalid characters");
}

When pathAsString contains references to parent directories or was an absolute path, relative can reference a file that is not contained in root. When this is the case you can throw an exception before any modifications to the file are permitted.

Answer 2

You can use Path.normalize() to strip out ".." elements (and their preceding elements) from a path — e.g. it'll turn "a/b/../c" into "a/c". Note that it won't strip out a ".." at the beginning of a path, since there's no preceding directory component for it to remove as well. So if you're going to prepend another path, do that first, then normalize the result.

You can also use Path.startsWith(Path) to check whether one path is a descendant of another. And Path.isAbsolute() tells you, unsurprisingly, whether a path is absolute or relative.

Here's how I'd process the untrusted paths coming into the API:

/**
 * Resolves an untrusted user-specified path against the API's base directory.
 * Paths that try to escape the base directory are rejected.
 *
 * @param baseDirPath  the absolute path of the base directory that all
                     user-specified paths should be within
 * @param userPath  the untrusted path provided by the API user, expected to be
                  relative to {@code baseDirPath}
 */
public Path resolvePath(final Path baseDirPath, final Path userPath) {
  if (!baseDirPath.isAbsolute()) {
    throw new IllegalArgumentException("Base path must be absolute");
  }

  if (userPath.isAbsolute()) {
    throw new IllegalArgumentException("User path must be relative");
  }

  // Join the two paths together, then normalize so that any ".." elements
  // in the userPath can remove parts of baseDirPath.
  // (e.g. "/foo/bar/baz" + "../attack" -> "/foo/bar/attack")
  final Path resolvedPath = baseDirPath.resolve(userPath).normalize();

  // Make sure the resulting path is still within the required directory.
  // (In the example above, "/foo/bar/attack" is not.)
  if (!resolvedPath.startsWith(baseDirPath)) {
    throw new IllegalArgumentException("User path escapes the base path");
  }

  return resolvedPath;
}