You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by da...@apache.org on 2023/10/27 11:55:49 UTC

(camel-spring-boot) branch main updated: Add a check for path traversal for SAST tests (#990)

This is an automated email from the ASF dual-hosted git repository.

davsclaus pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-spring-boot.git


The following commit(s) were added to refs/heads/main by this push:
     new ec7d84f2ff1 Add a check for path traversal for SAST tests (#990)
ec7d84f2ff1 is described below

commit ec7d84f2ff1273140cbe7926cdfe34fd9fa33a5e
Author: Tom Cunningham <tc...@redhat.com>
AuthorDate: Fri Oct 27 07:55:44 2023 -0400

    Add a check for path traversal for SAST tests (#990)
---
 .../dataformat/zipfile/springboot/ZipFileDataFormatTest.java | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/components-starter/camel-zipfile-starter/src/test/java/org/apache/camel/dataformat/zipfile/springboot/ZipFileDataFormatTest.java b/components-starter/camel-zipfile-starter/src/test/java/org/apache/camel/dataformat/zipfile/springboot/ZipFileDataFormatTest.java
index 1e5ddaa0902..63236668b79 100644
--- a/components-starter/camel-zipfile-starter/src/test/java/org/apache/camel/dataformat/zipfile/springboot/ZipFileDataFormatTest.java
+++ b/components-starter/camel-zipfile-starter/src/test/java/org/apache/camel/dataformat/zipfile/springboot/ZipFileDataFormatTest.java
@@ -368,7 +368,17 @@ public class ZipFileDataFormatTest {
                                 public void process(Exchange exchange) throws Exception {
                                     ZipFile zfile = new ZipFile(new File("src/test/resources/hello.odt"));
                                     ZipEntry entry = new ZipEntry((String) exchange.getIn().getHeader(Exchange.FILE_NAME));
-                                    File file = new File("hello_out", entry.getName());
+                                    String outputDirectory = "hello_out";
+                                    File file = new File(outputDirectory, entry.getName());
+
+                                    // Check for Path Traversal
+                                    File destDirectory = new File(outputDirectory);
+                                    String destCanonicalPath = destDirectory.getCanonicalPath();
+                                    String outputCanonicalPath = file.getCanonicalPath();
+                                    if (!outputCanonicalPath.startsWith(destCanonicalPath)) {
+                                        throw new Exception("Zip path traversal found, expected " + destCanonicalPath + " but found " + outputCanonicalPath);
+                                    }
+
                                     if (entry.isDirectory()) {
                                         file.mkdirs();
                                     } else {