Re: [PR] NIFI-12297 Standardize File Path resolution in Persistence Providers [nifi]

via GitHub Thu, 02 Nov 2023 17:48:04 -0700


github-advanced-security[bot] commented on code in PR #7975:
URL: https://github.com/apache/nifi/pull/7975#discussion_r1380933669



##########
nifi-registry/nifi-registry-core/nifi-registry-framework/src/main/java/org/apache/nifi/registry/provider/flow/FileSystemFlowPersistenceProvider.java:
##########
@@ -174,13 +186,37 @@
         }
 
         if (LOGGER.isDebugEnabled()) {
-            LOGGER.debug("Deleted snapshot at {}", new Object[] 
{snapshotFile.getAbsolutePath()});
+            LOGGER.debug("Deleted snapshot at {}", 
snapshotFile.getAbsolutePath());
         }
     }
 
     protected File getSnapshotFile(final String bucketId, final String flowId, 
final int version) {
-        final String snapshotFilename = bucketId + "/" + flowId + "/" + 
version + "/" + version + SNAPSHOT_EXTENSION;
-        return new File(flowStorageDir, snapshotFilename);
+        final String versionExtension = version + SNAPSHOT_EXTENSION;
+        final Path snapshotLocation = Paths.get(getNormalizedId(bucketId), 
getNormalizedId(flowId), Integer.toString(version), versionExtension);

Review Comment:
   ## Uncontrolled data used in path expression
   
   This path depends on a [user-provided value](1).
   This path depends on a [user-provided value](2).
   
   [Show more details](https://github.com/apache/nifi/security/code-scanning/59)



##########
nifi-registry/nifi-registry-core/nifi-registry-framework/src/main/java/org/apache/nifi/registry/provider/extension/FileSystemBundlePersistenceProvider.java:
##########
@@ -227,7 +237,11 @@
 
         final String bundleFileExtension = getBundleFileExtension(bundleType);
         final String bundleFilename = sanitize(artifactId) + "-" + 
sanitize(version) + bundleFileExtension;
-        return new File(parentDir, bundleFilename);
+        return getChildLocation(parentDir, Paths.get(bundleFilename));
+    }
+
+    static Path getArtifactPath(final String bucketId, final String groupId, 
final String artifactId) {
+        return Paths.get(getNormalizedBucketId(bucketId), sanitize(groupId), 
sanitize(artifactId)).normalize();

Review Comment:
   ## Uncontrolled data used in path expression
   
   This path depends on a [user-provided value](1).
   
   [Show more details](https://github.com/apache/nifi/security/code-scanning/64)



##########
nifi-registry/nifi-registry-core/nifi-registry-framework/src/main/java/org/apache/nifi/registry/provider/flow/FileSystemFlowPersistenceProvider.java:
##########
@@ -174,13 +186,37 @@
         }
 
         if (LOGGER.isDebugEnabled()) {
-            LOGGER.debug("Deleted snapshot at {}", new Object[] 
{snapshotFile.getAbsolutePath()});
+            LOGGER.debug("Deleted snapshot at {}", 
snapshotFile.getAbsolutePath());
         }
     }
 
     protected File getSnapshotFile(final String bucketId, final String flowId, 
final int version) {
-        final String snapshotFilename = bucketId + "/" + flowId + "/" + 
version + "/" + version + SNAPSHOT_EXTENSION;
-        return new File(flowStorageDir, snapshotFilename);
+        final String versionExtension = version + SNAPSHOT_EXTENSION;
+        final Path snapshotLocation = Paths.get(getNormalizedId(bucketId), 
getNormalizedId(flowId), Integer.toString(version), versionExtension);
+        return getChildLocation(flowStorageDir, snapshotLocation);
+    }
+
+    private File getChildLocation(final File parentDir, final Path 
childLocation) {
+        final Path parentPath = parentDir.toPath().normalize();
+        final Path childPathNormalized = childLocation.normalize();
+        final Path childPath = parentPath.resolve(childPathNormalized);
+        if (childPath.startsWith(parentPath)) {
+            return childPath.toFile();
+        }
+        throw new IllegalArgumentException(String.format("Child location not 
valid [%s]", childLocation));
     }
 
+    private Path getNormalizedIdPath(final String id) {
+        final String normalizedId = getNormalizedId(id);
+        return Paths.get(normalizedId).normalize();

Review Comment:
   ## Uncontrolled data used in path expression
   
   This path depends on a [user-provided value](1).
   This path depends on a [user-provided value](2).
   This path depends on a [user-provided value](3).
   This path depends on a [user-provided value](4).
   This path depends on a [user-provided value](5).
   
   [Show more details](https://github.com/apache/nifi/security/code-scanning/65)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@nifi.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: [PR] NIFI-12297 Standardize File Path resolution in Persistence Providers [nifi]

Reply via email to