You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@james.apache.org by bt...@apache.org on 2021/09/09 03:15:23 UTC
[james-project] 02/02: JAMES-3646 SieveFileRepository should forbid
'/' usage
This is an automated email from the ASF dual-hosted git repository.
btellier pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/james-project.git
commit 115c9f8db650562407de004e343f1778a70a48de
Author: Benoit Tellier <bt...@linagora.com>
AuthorDate: Sun Sep 5 08:05:37 2021 +0700
JAMES-3646 SieveFileRepository should forbid '/' usage
This could allow one user to read scripts of the other...
---
.../apache/james/sieverepository/file/SieveFileRepository.java | 3 +++
.../james/sieverepository/file/SieveFileRepositoryTest.java | 10 ++++++++++
2 files changed, 13 insertions(+)
diff --git a/server/data/data-file/src/main/java/org/apache/james/sieverepository/file/SieveFileRepository.java b/server/data/data-file/src/main/java/org/apache/james/sieverepository/file/SieveFileRepository.java
index 34425ed..26baf98 100644
--- a/server/data/data-file/src/main/java/org/apache/james/sieverepository/file/SieveFileRepository.java
+++ b/server/data/data-file/src/main/java/org/apache/james/sieverepository/file/SieveFileRepository.java
@@ -377,6 +377,9 @@ public class SieveFileRepository implements SieveRepository {
}
protected File getScriptFile(Username username, ScriptName name) throws ScriptNotFoundException, StorageException {
+ if (name.getValue().contains("/")) {
+ throw new StorageException(new IllegalArgumentException("Script name should not contain '/' as it can allow path traversal"));
+ }
File file = new File(getUserDirectory(username), name.getValue());
enforceRoot(file);
if (!file.exists()) {
diff --git a/server/data/data-file/src/test/java/org/apache/james/sieverepository/file/SieveFileRepositoryTest.java b/server/data/data-file/src/test/java/org/apache/james/sieverepository/file/SieveFileRepositoryTest.java
index f9afe9f..e6b4f17 100644
--- a/server/data/data-file/src/test/java/org/apache/james/sieverepository/file/SieveFileRepositoryTest.java
+++ b/server/data/data-file/src/test/java/org/apache/james/sieverepository/file/SieveFileRepositoryTest.java
@@ -12,6 +12,7 @@ import java.io.InputStream;
import org.apache.commons.io.FileUtils;
import org.apache.james.core.Username;
import org.apache.james.filesystem.api.FileSystem;
+import org.apache.james.sieverepository.api.ScriptContent;
import org.apache.james.sieverepository.api.ScriptName;
import org.apache.james.sieverepository.api.SieveRepository;
import org.apache.james.sieverepository.api.exception.StorageException;
@@ -74,4 +75,13 @@ class SieveFileRepositoryTest implements SieveRepositoryContract {
new ScriptName("../../../../home/interview1/script"), SCRIPT_CONTENT))
.isInstanceOf(StorageException.class);
}
+
+ @Test
+ void getScriptShouldNotAllowToReadScriptsOfOtherUsers() throws Exception {
+ sieveRepository().putScript(Username.of("other"), new ScriptName("script"), new ScriptContent("PWND!!!"));
+
+ assertThatThrownBy(() -> sieveRepository().getScript(Username.of("test"),
+ new ScriptName("../other/script")))
+ .isInstanceOf(StorageException.class);
+ }
}
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org