Fix customized resource lookup Path Traversal vulnerability

Affects issues:
- Fixed #2830
This commit is contained in:
Aurora Lahtela 2023-01-13 23:23:12 +02:00
parent 205692af65
commit bd85f10c55

View File

@ -156,6 +156,9 @@ public class PlanFiles implements SubSystem {
Path dir = config.get().getResourceSettings().getCustomizationDirectory();
if (dir.toFile().exists() && dir.toFile().isDirectory()) {
Path asPath = dir.resolve(resourceName);
if (!asPath.startsWith(dir)) {
return Optional.empty();
}
File found = asPath.toFile();
if (found.exists()) {
return Optional.of(found);