Hi SSHD team,
Not sure if this is a bug or not, but when I instantiate a new FileSystem
using the VirtualFileSystemFactory and RootedFileSystemProvider, as a user
on the box, I am able to mkdir and get/put files in parent (i.e.
non-subpath) paths of the supposed "root" if I do something like
sftp> pwd
Remote working directory: /
$ put ../thisismyfile
It seems like the resolveLocalPath which is supposed to throw an
InvalidPathException if the path is not a proper subpath of the rooted file
system needs to normalize the path in addition to doing it's nullity
checks. I was able to prevent this behavior by doing something like this,
but not sure if this is the best approach.
Any guidance/explanation would be appreciated. Thanks.
public class FixedRootedFileSystemProvider extends RootedFileSystemProvider {
private static final Logger LOG =
LoggerFactory.getLogger(FixedRootedFileSystemProvider.class);
public FixedRootedFileSystemProvider() { super(); }
@Override
protected Path resolveLocalPath(RootedPath path) {
Path resolvedLocalPath = super.resolveLocalPath(path);
return validateParent(path, resolvedLocalPath);
}
private Path validateParent(RootedPath path, Path localPath) throws
InvalidPathException {
RootedFileSystem rfs = path.getFileSystem();
Path root = rfs.getRoot();
if
(!localPath.toAbsolutePath().normalize().startsWith(root.toAbsolutePath().normalize()))
{ //i.e. is not a REAL subpath
LOG.info("{} is not a subpath of the root FS path " +
root.toAbsolutePath().normalize(),
localPath.toAbsolutePath().normalize());
throw new InvalidPathException(localPath.toString(), "Invalid path");
}
return localPath;
}
}
