You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@gobblin.apache.org by ab...@apache.org on 2018/06/05 00:31:51 UTC

incubator-gobblin git commit: [GOBBLIN-508][GOBBLIN-486] Ensure that in AWSConfigManager the files are extracted within the output directory

Repository: incubator-gobblin
Updated Branches:
  refs/heads/master e7bb4c40f -> 383568685


[GOBBLIN-508][GOBBLIN-486] Ensure that in AWSConfigManager the files are extracted within the output directory

Closes #2377 from abti/master


Project: http://git-wip-us.apache.org/repos/asf/incubator-gobblin/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-gobblin/commit/38356868
Tree: http://git-wip-us.apache.org/repos/asf/incubator-gobblin/tree/38356868
Diff: http://git-wip-us.apache.org/repos/asf/incubator-gobblin/diff/38356868

Branch: refs/heads/master
Commit: 3835686858382c50579989127829aca070f9de44
Parents: e7bb4c4
Author: Abhishek Tiwari <ab...@gmail.com>
Authored: Mon Jun 4 17:31:42 2018 -0700
Committer: Abhishek Tiwari <ab...@linkedin.com>
Committed: Mon Jun 4 17:31:42 2018 -0700

----------------------------------------------------------------------
 .../gobblin/aws/AWSJobConfigurationManager.java      |  4 ++++
 .../main/java/org/apache/gobblin/util/FileUtils.java | 15 +++++++++++++++
 .../java/org/apache/gobblin/util/FileUtilsTest.java  | 15 +++++++++++++++
 3 files changed, 34 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-gobblin/blob/38356868/gobblin-aws/src/main/java/org/apache/gobblin/aws/AWSJobConfigurationManager.java
----------------------------------------------------------------------
diff --git a/gobblin-aws/src/main/java/org/apache/gobblin/aws/AWSJobConfigurationManager.java b/gobblin-aws/src/main/java/org/apache/gobblin/aws/AWSJobConfigurationManager.java
index 6ad15c2..042503f 100644
--- a/gobblin-aws/src/main/java/org/apache/gobblin/aws/AWSJobConfigurationManager.java
+++ b/gobblin-aws/src/main/java/org/apache/gobblin/aws/AWSJobConfigurationManager.java
@@ -197,6 +197,10 @@ public class AWSJobConfigurationManager extends JobConfigurationManager {
       while (entries.hasMoreElements()) {
         final ZipEntry entry = entries.nextElement();
         final File entryDestination = new File(outputDir, entry.getName());
+        if (!org.apache.gobblin.util.FileUtils.isSubPath(outputDir, entryDestination)) {
+          throw new IOException(String.format("Extracted file: %s is trying to write outside of output directory: %s",
+              entryDestination, outputDir));
+        }
 
         if (entry.isDirectory()) {
           // If entry is directory, create directory

http://git-wip-us.apache.org/repos/asf/incubator-gobblin/blob/38356868/gobblin-utility/src/main/java/org/apache/gobblin/util/FileUtils.java
----------------------------------------------------------------------
diff --git a/gobblin-utility/src/main/java/org/apache/gobblin/util/FileUtils.java b/gobblin-utility/src/main/java/org/apache/gobblin/util/FileUtils.java
index 49bf6dd..6f314d2 100644
--- a/gobblin-utility/src/main/java/org/apache/gobblin/util/FileUtils.java
+++ b/gobblin-utility/src/main/java/org/apache/gobblin/util/FileUtils.java
@@ -17,6 +17,7 @@
 
 package org.apache.gobblin.util;
 
+import java.io.File;
 import java.io.IOException;
 import java.io.PrintWriter;
 import java.nio.charset.StandardCharsets;
@@ -33,4 +34,18 @@ public class FileUtils {
       out.flush();
     }
   }
+
+  /***
+   * Check if child path is child of parent path.
+   * @param parent Expected parent path.
+   * @param child Expected child path.
+   * @return If child path is child of parent path.
+   * @throws IOException
+   */
+  public static boolean isSubPath(File parent, File child) throws IOException {
+    String childStr = child.getCanonicalPath();
+    String parentStr = parent.getCanonicalPath();
+
+    return childStr.startsWith(parentStr);
+  }
 }

http://git-wip-us.apache.org/repos/asf/incubator-gobblin/blob/38356868/gobblin-utility/src/test/java/org/apache/gobblin/util/FileUtilsTest.java
----------------------------------------------------------------------
diff --git a/gobblin-utility/src/test/java/org/apache/gobblin/util/FileUtilsTest.java b/gobblin-utility/src/test/java/org/apache/gobblin/util/FileUtilsTest.java
index 3956da3..a1f5bc0 100644
--- a/gobblin-utility/src/test/java/org/apache/gobblin/util/FileUtilsTest.java
+++ b/gobblin-utility/src/test/java/org/apache/gobblin/util/FileUtilsTest.java
@@ -17,6 +17,7 @@
 
 package org.apache.gobblin.util;
 
+import java.io.File;
 import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
@@ -40,4 +41,18 @@ public class FileUtilsTest {
 
     Files.deleteIfExists(destPath);
   }
+
+  @Test
+  public void testIsSubPath() throws IOException {
+    File parentPath = new File("/tmp/foo/bar");
+
+    File childPath = new File("/tmp/foo/../tar/file.txt");
+    assertThat(false).isEqualTo(FileUtils.isSubPath(parentPath, childPath));
+
+    childPath = new File("/tmp/foo/tar/../bar/file.txt");
+    assertThat(true).isEqualTo(FileUtils.isSubPath(parentPath, childPath));
+
+    childPath = new File("/tmp/foo/bar/car/file.txt");
+    assertThat(true).isEqualTo(FileUtils.isSubPath(parentPath, childPath));
+  }
 }