[
https://issues.apache.org/jira/browse/JAMES-3682?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17456908#comment-17456908
]
Bernd Bartke edited comment on JAMES-3682 at 12/10/21, 6:51 AM:
----------------------------------------------------------------
The following snippet of code should do the desired tasks and does not require
significant changes in other components:
{code:java}
public void validate(File file) throws IOException {
final java.nio.file.Path rootPath =
java.nio.file.Path.of(jamesDirectoriesProvider.getRootDirectory()).normalize();
final java.nio.file.Path path = file.toPath().normalize();
final boolean validate = path.startsWith(rootPath);
if (!validate) {
throw new IOException(path + " jail break outside of " + rootPath);
}
}
{code}
Output during startup:
{noformat}
rootPath ': ..'
path ': ..\var\mail\error'
validate ': true'
...
rootPath ': ..'
path ': ..\var\mail\spam'
validate ': true'
{noformat}
was (Author: bbartke):
The following snippet of code should do the desired tasks and does not require
significant changes in other components:
{code:java}
public void validate(File file) throws IOException {
final java.nio.file.Path rootPath =
java.nio.file.Path.of(jamesDirectoriesProvider.getRootDirectory()).toRealPath();
final java.nio.file.Path path = file.toPath().toRealPath();
final boolean validate = path.startsWith(rootPath);
if (!validate) {
throw new IOException(path + " jail break outside of " + rootPath);
}
}
{code}
Output during startup:
{noformat}
rootPath ': C:\SomeFolder\james-server-app-3.6.1'
path ': C:\SomeFolder\james-server-app-3.6.1\var\mail\error'
validate ': true'
...
rootPath ': C:\SomeFolder\james-server-app-3.6.1'
path ': C:\SomeFolder\james-server-app-3.6.1\var\mail\spam'
validate ': true'
{noformat}
> Validation/jail break detection of file url is breaking FileMailRepository
> initialization
> -----------------------------------------------------------------------------------------
>
> Key: JAMES-3682
> URL: https://issues.apache.org/jira/browse/JAMES-3682
> Project: James Server
> Issue Type: Bug
> Components: MailStore & MailRepository
> Affects Versions: 3.6.1
> Reporter: Bernd Bartke
> Priority: Major
>
> The validation/jail break detection of a file url within
> DefaultJamesResourceLoader is breaking FileMailRepository initialization.
> Within
> {{org.apache.james.container.spring.context.JamesServerApplicationContext:40}}
> the resource loader is being initialized with root directory {{../}}.
> When attempting to intialize file mail repository with url
> {{file://var/mail/error}}, the validation of the file url will throw an
> IOException in
> {{org.apache.james.container.spring.resource.DefaultJamesResourceLoader.validate(DefaultJamesResourceLoader.java:51)}}:
> {{C:\SomeFolder\james-server-app-3.6.1\var\mail\error jail break outside of
> ../}}
> As within {{JamesServerResourceLoader}} the root directory {{../}} is not
> resolved to a real path, the string startsWith checks within
> {{DefaultJamesResourceLoader.validate}} are failing and will throw an
> IOException.
> {noformat}
> 2021-12-09T11:00:23.495 DEBUG [main]
> org.apache.james.container.spring.bean.factory.mailrepositorystore.MailRepositoryStoreBeanFactory
> - obtained repository:
> org.apache.james.mailrepository.file.FileMailRepository to handle: file
> 2021-12-09T11:00:23.502 DEBUG [main]
> org.apache.james.mailrepository.file.FileMailRepository -
> FileMailRepository.destinationURL: file://var/mail/error
> 2021-12-09T11:00:23.503 INFO [main]
> org.apache.james.repository.file.AbstractFileRepository - Init
> org.apache.james.repository.file.FilePersistentObjectRepository Store
> 2021-12-09T11:00:23.504 ERROR [main]
> org.apache.james.mailrepository.file.FileMailRepository - Failed to retrieve
> Store component
> org.apache.commons.configuration2.ex.ConfigurationException: Unable to acces
> destination file://var/mail/error
> at
> org.apache.james.repository.file.AbstractFileRepository.setDestination(AbstractFileRepository.java:151)
> ~[james-server-data-library-3.6.1.jar:3.6.1]
> at
> org.apache.james.repository.file.AbstractFileRepository.init(AbstractFileRepository.java:84)
> ~[james-server-data-library-3.6.1.jar:3.6.1]
> at
> org.apache.james.mailrepository.file.FileMailRepository.init(FileMailRepository.java:140)
> [james-server-data-file-3.6.1.jar:3.6.1]
> ...
> Caused by: java.io.IOException:
> C:\SomeFolder\james-server-app-3.6.1\var\mail\error jail break outside of ../
> at
> org.apache.james.container.spring.resource.DefaultJamesResourceLoader.validate(DefaultJamesResourceLoader.java:51)
> ~[james-server-spring-3.6.1.jar:3.6.1]
> at
> org.apache.james.container.spring.context.JamesServerApplicationContext.validate(JamesServerApplicationContext.java:48)
> ~[james-server-spring-3.6.1.jar:3.6.1]
> at
> org.apache.james.container.spring.filesystem.ResourceLoaderFileSystem.getFileWithinBaseDir(ResourceLoaderFileSystem.java:63)
> ~[james-server-spring-3.6.1.jar:3.6.1]
> at
> org.apache.james.repository.file.AbstractFileRepository.setDestination(AbstractFileRepository.java:149)
> ~[james-server-data-library-3.6.1.jar:3.6.1]
> {noformat}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org
