Add Validator for Path Traversal #22

gilday · 2024-02-09T21:23:34Z

To prevent path traversal, I need to ensure that a given Path does not escape out of a given directory. Looking for a validator that will make this easy e.g.

public static boolean isParent(Path directory, Path path) { ... }

The text was updated successfully, but these errors were encountered:

nahsra · 2024-02-09T21:32:43Z

I see multiple use cases here that align nicely with some of the issues we just had in our own security advisory.

public static boolean hasEscapeSequences(Path p) -- to confirm that a Path has no escape sequences and can be safely used with Path#resolve() to build a child Path of a directory.

public static boolean isFileWithinDirectory(Path file, Path directory) -- to confirm the given (full) file path is in the given directory.

Does this sound right to you?

gilday · 2024-02-09T22:00:09Z

Yes, that sounds right to me. My use case is this:

I am processing a response from an external system that I do not trust. This response includes a directory and a list of files that are supposedly in that directory. I want to verify that those files are in fact children of the given directory vs attempts to escape that directory.

gilday added the enhancement New feature or request label Feb 9, 2024

nahsra self-assigned this Feb 9, 2024

nahsra added the good first issue Good for newcomers label Feb 9, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add Validator for Path Traversal #22

Add Validator for Path Traversal #22

gilday commented Feb 9, 2024

nahsra commented Feb 9, 2024

gilday commented Feb 9, 2024

Add Validator for Path Traversal #22

Add Validator for Path Traversal #22

Comments

gilday commented Feb 9, 2024

nahsra commented Feb 9, 2024

gilday commented Feb 9, 2024