tomdesair / tus-java-server / 27606803414

coverage: 94.854% (-0.07%) from 94.92%
27606803414

Pull #92

github

web-flow 
Merge 08ec3c9a7 into 6d81fd72b
Pull Request #92: 🛡️ Sentinel: [CRITICAL] Fix Path Traversal in AbstractDiskBasedService

622 of 700 branches covered (88.86%)

Branch coverage included in aggregate %.

4 of 5 new or added lines in 1 file covered. (80.0%)

1811 of 1865 relevant lines covered (97.1%)

6.56 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

80.0
/src/main/java/me/desair/tus/server/upload/disk/AbstractDiskBasedService.java
1 
package me.desair.tus.server.upload.disk;
2 









3



import java.io.IOException;










4



import java.nio.file.Files;










5



import java.nio.file.Path;










6



import java.nio.file.Paths;










7



import me.desair.tus.server.TusFileUploadService;










8



import me.desair.tus.server.upload.UploadId;










9



import org.apache.commons.lang3.Validate;










10



import org.slf4j.Logger;










11



import org.slf4j.LoggerFactory;










12












13



/** Common abstract super class to implement service that use the disk file system */










14



public class AbstractDiskBasedService {










15












16



  private static final Logger log = LoggerFactory.getLogger(TusFileUploadService.class);




8





17












18



  private Path storagePath;










19












20



  public AbstractDiskBasedService(String path) {




4





21



    Validate.notBlank(path, "The storage path cannot be blank");




12





22



    this.storagePath = Paths.get(path);




12





23



  }




2





24












25



  protected Path getStoragePath() {










26



    if (!Files.exists(storagePath)) {





12





27



      init();




2





28



    }










29



    return storagePath;




6





30



  }










31












32



  protected Path getPathInStorageDirectory(UploadId id) {










33



    if (!Files.exists(storagePath)) {





12





34



      init();




4





35



    }










36












37



    if (id == null) {





4





38



      return null;




4





39



    } else {











40



      Path resolvedPath = storagePath.resolve(id.toString());




12






41



      Path normalizedStoragePath = storagePath.toAbsolutePath().normalize();




10






42



      if (!resolvedPath.toAbsolutePath().normalize().startsWith(normalizedStoragePath)) {





12!






NEW


43



        throw new IllegalArgumentException("Upload ID violates storage path boundaries");




×







44



      }











45



      return resolvedPath;




4





46



    }










47



  }










48












49



  private synchronized void init() {










50



    if (!Files.exists(storagePath)) {





12!





51



      try {










52



        Files.createDirectories(storagePath);




12





53



      } catch (IOException e) {




×







54



        String message =




×







55



            "Unable to create the directory specified by the storage path " + storagePath;










56



        log.error(message, e);




×







57



        throw new StoragePathNotAvailableException(message, e);




×







58



      }




2





59



    }










60



  }




2





61



}
























    

  • 

    •