Refactor file path validation code; reject apps with up-level references in the name
Change-Id: I4b14604608078d12df2f7b89f9f841ed19c2552c
diff --git a/utils/misc/src/main/java/org/onlab/util/ZipValidator.java b/utils/misc/src/main/java/org/onlab/util/FilePathValidator.java
similarity index 67%
rename from utils/misc/src/main/java/org/onlab/util/ZipValidator.java
rename to utils/misc/src/main/java/org/onlab/util/FilePathValidator.java
index 22c6cba..da66a14 100644
--- a/utils/misc/src/main/java/org/onlab/util/ZipValidator.java
+++ b/utils/misc/src/main/java/org/onlab/util/FilePathValidator.java
@@ -23,13 +23,30 @@
/**
* Utilities for validation of Zip files.
*/
-public final class ZipValidator {
+public final class FilePathValidator {
/**
* Do not allow construction.
*/
- private ZipValidator() {
+ private FilePathValidator() {
+ }
+ /**
+ * Validates a File. Checks that the file being created does not
+ * lie outside the target directory.
+ *
+ * @param destinationFile file to check
+ * @param destinationDir target directory
+ * @return true if the Entry resolves to a file inside the target directory; false otherwise
+ */
+ public static boolean validateFile(File destinationFile, File destinationDir) {
+ try {
+ String canonicalDestinationDirPath = destinationDir.getCanonicalPath();
+ String canonicalDestinationFile = destinationFile.getCanonicalPath();
+ return canonicalDestinationFile.startsWith(canonicalDestinationDirPath + File.separator);
+ } catch (IOException ioe) {
+ return false;
+ }
}
/**