Merge pull request getodk#6340 from seadowg/path-utils

Guard against incorrect paths
seadowg · Aug 23, 2024 · 124ea51 · 124ea51
1 parent e12bc09
commit 124ea51
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/shared/src/main/java/org/odk/collect/shared/PathUtils.kt b/shared/src/main/java/org/odk/collect/shared/PathUtils.kt
@@ -11,7 +11,13 @@ object PathUtils {
 
     @JvmStatic
     fun getAbsoluteFilePath(dirPath: String, filePath: String): String {
-        return if (filePath.startsWith(dirPath)) filePath else dirPath + File.separator + filePath
+        val absolutePath = if (filePath.startsWith(dirPath)) filePath else dirPath + File.separator + filePath
+
+        if (File(absolutePath).canonicalPath.startsWith(dirPath)) {
+            return absolutePath
+        } else {
+            throw SecurityException()
+        }
     }
 
     // https://stackoverflow.com/questions/2679699/what-characters-allowed-in-file-names-on-android

diff --git a/shared/src/test/java/org/odk/collect/shared/PathUtilsTest.kt b/shared/src/test/java/org/odk/collect/shared/PathUtilsTest.kt
@@ -24,6 +24,11 @@ class PathUtilsTest {
         assertThat(path, equalTo("/root/dir/file"))
     }
 
+    @Test(expected = SecurityException::class)
+    fun `getAbsoluteFilePath() throws SecurityException when filePath is outside the dirPath`() {
+        PathUtils.getAbsoluteFilePath("/root/dir", "../tmp/file")
+    }
+
     @Test
     fun `getRelativeFilePath() returns filePath with dirPath removed`() {
         val path = PathUtils.getRelativeFilePath("/root/dir", "/root/dir/file")