From 07c8d34ac8a8f4b322259958e5c057e98546e078 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E8=A2=81=E5=9B=AD10?= <yuanyuan10@cmschina.com.cn>
Date: Thu, 17 Oct 2019 15:19:26 +0800
Subject: [PATCH] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E9=9D=99=E6=80=81=E8=B5=84?=
 =?UTF-8?q?=E6=BA=90=E7=9A=84=E8=AE=BF=E9=97=AE=E9=99=90=E5=88=B6:?=
 =?UTF-8?q?=E5=8F=AA=E5=85=81=E8=AE=B8=E8=AE=BF=E9=97=AE=E9=9D=99=E6=80=81?=
 =?UTF-8?q?=E8=B5=84=E6=BA=90=E7=9B=AE=E5=BD=95=E4=B8=8B=E7=9A=84=E6=96=87?=
 =?UTF-8?q?=E4=BB=B6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/main/java/io/zbus/rpc/StaticResource.java | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/src/main/java/io/zbus/rpc/StaticResource.java b/src/main/java/io/zbus/rpc/StaticResource.java
index c553095b..33d16a4d 100644
--- a/src/main/java/io/zbus/rpc/StaticResource.java
+++ b/src/main/java/io/zbus/rpc/StaticResource.java
@@ -64,7 +64,23 @@ public class StaticResource {
 			File fullPath = new File(absoluteBasePath, urlFile);
 			file = fullPath.getAbsolutePath();
 		}
-		 
+
+		// security restriction: access to files outside absoluteBasePath is forbidden
+		boolean validFilePath = true;
+		try {
+			File allowedDir = new File(this.absoluteBasePath.getCanonicalPath());
+			String canonicalFilePath = new File(file).getCanonicalPath();
+			validFilePath = canonicalFilePath.startsWith(allowedDir.getCanonicalPath());
+		} catch (IOException e) {
+			validFilePath = false;
+		}
+		if (!validFilePath) {
+			res.setStatus(404);
+			res.setHeader(Http.CONTENT_TYPE, "text/plain; charset=utf8");
+			res.setBody(urlFile + " Not Found");
+			return res;
+		}
+
 		String contentType = HttpKit.contentType(urlFile);
 		if(contentType == null) {
 			contentType = "application/octet-stream";
-- 
Gitee