tomdesair / tus-java-server / 27493744652

coverage: 94.813% (-0.1%) from 94.92%
27493744652

Pull #89

github

web-flow 
Merge 98692cb80 into 6d81fd72b
Pull Request #89: 🛡️ Sentinel: [CRITICAL] Fix Path Traversal in AbstractDiskBasedService

621 of 700 branches covered (88.71%)

Branch coverage included in aggregate %.

3 of 4 new or added lines in 1 file covered. (75.0%)

1810 of 1864 relevant lines covered (97.1%)

6.57 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

79.41
/src/main/java/me/desair/tus/server/upload/disk/AbstractDiskBasedService.java
1 
package me.desair.tus.server.upload.disk;
2 









3



import java.io.IOException;










4



import java.nio.file.Files;










5



import java.nio.file.Path;










6



import java.nio.file.Paths;










7



import me.desair.tus.server.TusFileUploadService;










8



import me.desair.tus.server.upload.UploadId;










9



import org.apache.commons.lang3.Validate;










10



import org.slf4j.Logger;










11



import org.slf4j.LoggerFactory;










12












13



/** Common abstract super class to implement service that use the disk file system */










14



public class AbstractDiskBasedService {










15












16



  private static final Logger log = LoggerFactory.getLogger(TusFileUploadService.class);




8





17












18



  private Path storagePath;










19












20



  public AbstractDiskBasedService(String path) {




4





21



    Validate.notBlank(path, "The storage path cannot be blank");




12





22



    this.storagePath = Paths.get(path);




12





23



  }




2





24












25



  protected Path getStoragePath() {










26



    if (!Files.exists(storagePath)) {





12





27



      init();




2





28



    }










29



    return storagePath;




6





30



  }










31












32



  protected Path getPathInStorageDirectory(UploadId id) {










33



    if (!Files.exists(storagePath)) {





12





34



      init();




4





35



    }










36












37



    if (id == null) {





4





38



      return null;




4





39



    } else {











40



      Path path = storagePath.resolve(id.toString());




12






41



      if (!path.normalize().toAbsolutePath().startsWith(storagePath.normalize().toAbsolutePath())) {





18!






NEW


42



        throw new IllegalArgumentException(




×







43



            "Upload ID is not valid and would result in a path traversal");










44



      }











45



      return path;




4





46



    }










47



  }










48












49



  private synchronized void init() {










50



    if (!Files.exists(storagePath)) {





12!





51



      try {










52



        Files.createDirectories(storagePath);




12





53



      } catch (IOException e) {




×







54



        String message =




×







55



            "Unable to create the directory specified by the storage path " + storagePath;










56



        log.error(message, e);




×







57



        throw new StoragePathNotAvailableException(message, e);




×







58



      }




2





59



    }










60



  }




2





61



}
























    

  • 

    •