QA-14640: Prevent partial path traversal/StringIndexOutOfBoundsExcept…

…ion (#1430) * QA-14640: Prevent partial path traversal/StringIndexOutOfBoundsException * QA-14640: fix typo
Jahia · Dec 13, 2022 · 538046e · 538046e
1 parent 6fc2789
commit 538046e
Showing 1 changed file with 17 additions and 7 deletions.
diff --git a/core/src/main/java/org/jahia/services/importexport/ImportExportBaseService.java b/core/src/main/java/org/jahia/services/importexport/ImportExportBaseService.java
@@ -169,10 +169,20 @@ public final class ImportExportBaseService extends JahiaService implements Impor
     private static final String SITE_PERMISSIONS_XML = "sitePermissions.xml";
     private static final String DEFINITIONS_CND = "definitions.cnd";
     private static final String DEFINITIONS_MAP = "definitions.map";
-    private static final File EXPORT_PATH = new File(SettingsBean.getInstance().getJahiaExportsDiskPath());
     private static final FileCleaningTracker fileCleaningTracker = new FileCleaningTracker();
     private static final HashSet<String> siteExportNodeTypesToIgnore = Sets.newHashSet("jnt:templatesFolder", "jnt:externalUser", "jnt:workflowTask", "jmix:noImportExport");
     private static final HashSet<String> defaultExportNodeTypesToIgnore = Sets.newHashSet(Constants.JAHIANT_VIRTUALSITE, "jnt:workflowTask", "jmix:noImportExport");
+    private static final Path EXPORT_PATH; 
+    static {
+        Path exportsPath = null;
+        try {
+            exportsPath = new File(SettingsBean.getInstance().getJahiaExportsDiskPath()).getCanonicalFile().toPath();
+        } catch (Exception e) {
+            logger.error("Invalid server directory of configured jahiaExportsDiskPath {}. Configuration or environment is broken leading to exceptions during content export.", SettingsBean.getInstance().getJahiaExportsDiskPath());
+        } finally {
+            EXPORT_PATH = exportsPath; 
+        }
+    };
     private final long scannerInterval = SettingsBean.getInstance().getJahiaSiteImportScannerInterval();
     private JahiaSitesService sitesService;
     private JahiaFileWatcherService fileWatcherService;
@@ -232,9 +242,9 @@ public static String updatedServerDirectoryPath(String serverDirectoryPath) thro
             return null;
         }
         File exportPath = new File(serverDirectoryPath);
-        return exportPath.getCanonicalPath().startsWith(SettingsBean.getInstance().getJahiaExportsDiskPath())
+        return exportPath.getCanonicalFile().toPath().startsWith(EXPORT_PATH)
                 ? exportPath.getCanonicalPath()
-                : new File(SettingsBean.getInstance().getJahiaExportsDiskPath(), serverDirectoryPath).getCanonicalPath();
+                : new File(EXPORT_PATH.toFile(), serverDirectoryPath).getCanonicalPath();
     }
 
     /**
@@ -266,9 +276,9 @@ public static boolean isDirectoryEmpty(String pathStr) throws IOException {
     public static boolean isValidServerDirectory(String serverDirectory) {
         try {
             File serverDirectoryFile = new File(serverDirectory);
-            if (!serverDirectoryFile.getCanonicalPath().startsWith(EXPORT_PATH.getCanonicalPath())) {
+            if (!serverDirectoryFile.getCanonicalFile().toPath().startsWith(EXPORT_PATH)) {
                 logger.error("User is trying to export to {} which is outside the allowed location {}",
-                        serverDirectory, EXPORT_PATH.getCanonicalPath());
+                        serverDirectory, EXPORT_PATH);
                 return false;
             }
             if (!ImportExportBaseService.isDirectoryEmpty(serverDirectory)) {
@@ -287,7 +297,7 @@ public static boolean isValidServerDirectory(String serverDirectory) {
     public void start() {
         try {
             new ImportFileObserver(org.jahia.settings.SettingsBean.getInstance().getJahiaImportsDiskPath(), false, scannerInterval, true);
-            new File(EXPORT_PATH.getPath()).mkdirs();
+            EXPORT_PATH.toFile().mkdirs();
         } catch (JahiaException je) {
             logger.error("exception with FilesObserver", je);
         }
@@ -2023,7 +2033,7 @@ private String validateZipName(String filename) throws java.io.IOException {
         String canonicalPath = new File(filename).getCanonicalPath();
         String canonicalID = new File(".").getCanonicalPath();
 
-        if (canonicalPath.startsWith(canonicalID)) {
+        if (canonicalPath.startsWith(canonicalID) && canonicalPath.length() > canonicalID.length()) {
             return canonicalPath.substring(canonicalID.length() + 1);
         } else {
             throw new IllegalStateException("File is outside extraction target directory.");