github
/
halo
mirror of https://github.com/halo-dev/halo
1
0
Fork 0
Code Issues Releases Wiki Activity

Fix directory traversal vulnerability

pull/755/head
johnniang 2019-12-13 00:17:11 +08:00
parent 5a5e84158f
commit d59877a9ce
2 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/main/java/run/halo/app/utils/FileUtils.java
View File

@ -296,7 +296,7 @@ public class FileUtils {
Assert.notNull(parentPath, "Parent path must not be null"); Assert.notNull(parentPath, "Parent path must not be null");
Assert.notNull(pathToCheck, "Path to check must not be null"); Assert.notNull(pathToCheck, "Path to check must not be null");
if (pathToCheck.startsWith(parentPath.normalize())) { if (pathToCheck.normalize().startsWith(parentPath)) {
return; return;
} }

11
src/test/java/run/halo/app/utils/DirectoryAttackTest.java
View File

@ -2,6 +2,7 @@ package run.halo.app.utils;
import org.junit.Assert; import org.junit.Assert;
import org.junit.Test; import org.junit.Test;
import run.halo.app.exception.ForbiddenException;
import java.io.IOException; import java.io.IOException;
import java.nio.file.Path; import java.nio.file.Path;
@ -68,4 +69,14 @@ public class DirectoryAttackTest {
System.out.println("Name count: " + path.getNameCount()); System.out.println("Name count: " + path.getNameCount());
System.out.println("Normalized path: " + path.normalize()); System.out.println("Normalized path: " + path.normalize());
} }
@Test
public void traversalTestWhenSuccess() {
FileUtils.checkDirectoryTraversal("/etc/", "/etc/halo/halo/../test");
}
@Test(expected = ForbiddenException.class)
public void traversalTestWhenFailure() {
FileUtils.checkDirectoryTraversal("/etc/", "/etc/../tmp");
}
} }