tomdesair / tus-java-server / 27511039832

coverage: 94.852% (-0.07%) from 94.92%
27511039832

Pull #90

github

web-flow 
Merge ff26f2db0 into 6d81fd72b
Pull Request #90: 🔒 Fix Path Traversal Vulnerability in Disk Storage Service

622 of 700 branches covered (88.86%)

Branch coverage included in aggregate %.

3 of 4 new or added lines in 1 file covered. (75.0%)

1810 of 1864 relevant lines covered (97.1%)

6.57 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

79.41
/src/main/java/me/desair/tus/server/upload/disk/AbstractDiskBasedService.java
1 
package me.desair.tus.server.upload.disk;
2 









3



import java.io.IOException;










4



import java.nio.file.Files;










5



import java.nio.file.Path;










6



import java.nio.file.Paths;










7



import me.desair.tus.server.TusFileUploadService;










8



import me.desair.tus.server.upload.UploadId;










9



import org.apache.commons.lang3.Validate;










10



import org.slf4j.Logger;










11



import org.slf4j.LoggerFactory;










12












13



/** Common abstract super class to implement service that use the disk file system */










14



public class AbstractDiskBasedService {










15












16



  private static final Logger log = LoggerFactory.getLogger(TusFileUploadService.class);




8





17












18



  private Path storagePath;










19












20



  public AbstractDiskBasedService(String path) {




4





21



    Validate.notBlank(path, "The storage path cannot be blank");




12





22



    this.storagePath = Paths.get(path);




12





23



  }




2





24












25



  protected Path getStoragePath() {










26



    if (!Files.exists(storagePath)) {





12





27



      init();




2





28



    }










29



    return storagePath;




6





30



  }










31












32



  protected Path getPathInStorageDirectory(UploadId id) {










33



    if (!Files.exists(storagePath)) {





12





34



      init();




4





35



    }










36












37



    if (id == null) {





4





38



      return null;




4





39



    } else {











40



      Path uploadPath = storagePath.resolve(id.toString()).normalize();




14






41



      if (!uploadPath.toAbsolutePath().startsWith(storagePath.toAbsolutePath().normalize())) {





16!






NEW


42



        throw new IllegalArgumentException("Invalid upload ID");




×







43



      }











44



      return uploadPath;




4





45



    }










46



  }










47












48



  private synchronized void init() {










49



    if (!Files.exists(storagePath)) {





12!





50



      try {










51



        Files.createDirectories(storagePath);




12





52



      } catch (IOException e) {




×







53



        String message =




×







54



            "Unable to create the directory specified by the storage path " + storagePath;










55



        log.error(message, e);




×







56



        throw new StoragePathNotAvailableException(message, e);




×







57



      }




2





58



    }










59



  }




2





60



}
























    

  • 

    •