Skip to content

Commit

Permalink
4.3 export security fix (#3371)
Browse files Browse the repository at this point in the history
  • Loading branch information
gem-neo4j authored Dec 16, 2022
1 parent 73b0719 commit e30dcfb
Show file tree
Hide file tree
Showing 4 changed files with 312 additions and 47 deletions.
4 changes: 2 additions & 2 deletions core/src/main/java/apoc/export/csv/ExportCSV.java
Original file line number Diff line number Diff line change
Expand Up @@ -116,8 +116,8 @@ private Stream<ProgressInfo> exportCsv(@Name("file") String fileName, String sou

private void dump(Object data, ExportConfig c, ProgressReporter reporter, ExportFileManager printWriter, CsvFormat exporter) {
if (data instanceof SubGraph)
exporter.dump((SubGraph)data,printWriter,reporter,c);
exporter.dump((SubGraph) data, printWriter, reporter, c);
if (data instanceof Result)
exporter.dump((Result)data,printWriter,reporter,c);
exporter.dump((Result) data, printWriter, reporter, c);
}
}
8 changes: 4 additions & 4 deletions core/src/main/java/apoc/util/FileUtils.java
Original file line number Diff line number Diff line change
Expand Up @@ -230,7 +230,7 @@ private static Path getPath(String url) {
Path urlPath;
URL toURL = null;
try {
final URI uri = URI.create(url.trim());
final URI uri = URI.create(url.trim()).normalize();
toURL = uri.toURL();
urlPath = Paths.get(uri);
} catch (Exception e) {
Expand All @@ -245,10 +245,10 @@ private static Path getPath(String url) {

private static boolean pathStartsWithOther(Path resolvedPath, Path basePath) throws IOException {
try {
return resolvedPath.toRealPath().startsWith(basePath.toRealPath());
return resolvedPath.toFile().getCanonicalFile().toPath().startsWith(basePath.toRealPath());
} catch (Exception e) {
if (e instanceof NoSuchFileException) { // If we're about to creating a file this exception has been thrown
return resolvedPath.normalize().startsWith(basePath);
if (e instanceof NoSuchFileException) { // If we're about to create a file this exception has been thrown
return resolvedPath.toFile().getCanonicalFile().toPath().startsWith(basePath);
}
return false;
}
Expand Down
Loading

0 comments on commit e30dcfb

Please sign in to comment.