Prevent parent path traversal in filesystem-nio2

gaul · gaul · commit 4b7a59fa5066 · 2025-01-31T17:41:02.000-08:00
Reported-by: Nico Waisman &lt;nico@xbow.com&gt;
diff --git a/src/main/java/org/gaul/s3proxy/nio2blob/AbstractNio2BlobStore.java b/src/main/java/org/gaul/s3proxy/nio2blob/AbstractNio2BlobStore.java
@@ -183,7 +183,11 @@ public final PageSet<? extends StorageMetadata> list(String container,
         } else {
             prefix = "";
         }
-        var pathPrefix = root.resolve(container).resolve(prefix);
+        var pathPrefix = root.resolve(container).resolve(prefix).normalize();
+        if (!pathPrefix.startsWith(container)) {
+            throw new IllegalArgumentException("Invalid key name: path traversal attempt detected.");
+        }
+        logger.debug("Listing blobs at: {}", pathPrefix);
         var set = ImmutableSortedSet.<StorageMetadata>naturalOrder();
         try {
             listHelper(set, container, dirPrefix, pathPrefix, delimiter);
@@ -344,7 +348,10 @@ public final Blob getBlob(String container, String key, GetOptions options) {
             throw new ContainerNotFoundException(container, "");
         }
 
-        var path = root.resolve(container).resolve(key);
+        var path = root.resolve(container).resolve(key).normalize();
+        if (!path.startsWith(container)) {
+            throw new IllegalArgumentException("Invalid key name: path traversal attempt detected.");
+        }
         logger.debug("Getting blob at: {}", path);
 
         try {
@@ -528,7 +535,10 @@ public final String putBlob(String container, Blob blob, PutOptions options) {
             throw new ContainerNotFoundException(container, "");
         }
 
-        var path = root.resolve(container).resolve(blob.getMetadata().getName());
+        var path = root.resolve(container).resolve(blob.getMetadata().getName()).normalize();
+        if (!path.startsWith(container)) {
+            throw new IllegalArgumentException("Invalid key name: path traversal attempt detected.");
+        }
         // TODO: should we use a known suffix to filter these out during list?
         var tmpPath = root.resolve(container).resolve(blob.getMetadata().getName() + "-" + UUID.randomUUID());
         logger.debug("Creating blob at: {}", path);
@@ -693,7 +703,11 @@ public final String copyBlob(String fromContainer, String fromName,
     public final void removeBlob(String container, String key) {
         try {
             var containerPath = root.resolve(container);
-            var path = containerPath.resolve(key);
+            var path = containerPath.resolve(key).normalize();
+            if (!path.startsWith(container)) {
+                throw new IllegalArgumentException("Invalid key name: path traversal attempt detected.");
+            }
+            logger.debug("Deleting blob at: {}", path);
             Files.delete(path);
             removeEmptyParentDirectories(containerPath, path.getParent());
         } catch (NoSuchFileException nsfe) {
@@ -771,7 +785,11 @@ public final BlobAccess getBlobAccess(String container, String key) {
             throw new KeyNotFoundException(container, key, "");
         }
 
-        var path = root.resolve(container).resolve(key);
+        var path = root.resolve(container).resolve(key).normalize();
+        if (!path.startsWith(container)) {
+            throw new IllegalArgumentException("Invalid key name: path traversal attempt detected.");
+        }
+
         Set<PosixFilePermission> permissions;
         try {
             permissions = Files.getPosixFilePermissions(path);
@@ -791,7 +809,11 @@ public final void setBlobAccess(String container, String key, BlobAccess access)
             throw new KeyNotFoundException(container, key, "");
         }
 
-        var path = root.resolve(container).resolve(key);
+        var path = root.resolve(container).resolve(key).normalize();
+        if (!path.startsWith(container)) {
+            throw new IllegalArgumentException("Invalid key name: path traversal attempt detected.");
+        }
+
         Set<PosixFilePermission> permissions;
         try {
             permissions = new HashSet<>(Files.getPosixFilePermissions(path));
diff --git a/src/test/java/org/gaul/s3proxy/AwsSdkTest.java b/src/test/java/org/gaul/s3proxy/AwsSdkTest.java
@@ -1717,6 +1717,89 @@ public Map.Entry<String, BlobStore> locateBlobStore(
         }
     }
 
+    @Test
+    public void testCopyRelativePath() throws Exception {
+        try {
+            client.copyObject(new CopyObjectRequest(
+                    containerName, "../evil.txt", containerName, "good.txt"));
+            Fail.failBecauseExceptionWasNotThrown(AmazonS3Exception.class);
+        } catch (AmazonS3Exception e) {
+            if (blobStoreType.equals("filesystem") || blobStoreType.equals("filesystem-nio2") || blobStoreType.equals("transient-nio2")) {
+                assertThat(e.getErrorCode()).isEqualTo("400 Bad Request");
+            } else {
+                assertThat(e.getErrorCode()).isEqualTo("NoSuchKey");
+            }
+        }
+    }
+
+    @Test
+    public void testDeleteRelativePath() throws Exception {
+        try {
+            client.deleteObject(containerName, "../evil.txt");
+            if (blobStoreType.equals("filesystem") || blobStoreType.equals("filesystem-nio2") || blobStoreType.equals("transient-nio2")) {
+                Fail.failBecauseExceptionWasNotThrown(AmazonS3Exception.class);
+            }
+        } catch (AmazonS3Exception e) {
+            if (blobStoreType.equals("filesystem") || blobStoreType.equals("filesystem-nio2") || blobStoreType.equals("transient-nio2")) {
+                assertThat(e.getErrorCode()).isEqualTo("400 Bad Request");
+            } else {
+                assertThat(e.getErrorCode()).isEqualTo("NoSuchKey");
+            }
+        }
+    }
+
+    @Test
+    public void testGetRelativePath() throws Exception {
+        try {
+            client.getObject(containerName, "../evil.txt");
+            Fail.failBecauseExceptionWasNotThrown(AmazonS3Exception.class);
+        } catch (AmazonS3Exception e) {
+            if (blobStoreType.equals("filesystem") || blobStoreType.equals("filesystem-nio2") || blobStoreType.equals("transient-nio2")) {
+                assertThat(e.getErrorCode()).isEqualTo("400 Bad Request");
+            } else {
+                assertThat(e.getErrorCode()).isEqualTo("NoSuchKey");
+            }
+        }
+    }
+
+    @Test
+    public void testPutRelativePath() throws Exception {
+        try {
+            var metadata = new ObjectMetadata();
+            metadata.setContentLength(BYTE_SOURCE.size());
+            PutObjectResult result = client.putObject(containerName, "../evil.txt",
+                    BYTE_SOURCE.openStream(), metadata);
+            if (blobStoreType.equals("filesystem") || blobStoreType.equals("filesystem-nio2") || blobStoreType.equals("transient-nio2")) {
+                Fail.failBecauseExceptionWasNotThrown(AmazonS3Exception.class);
+            }
+        } catch (AmazonS3Exception e) {
+            if (blobStoreType.equals("filesystem") || blobStoreType.equals("filesystem-nio2") || blobStoreType.equals("transient-nio2")) {
+                assertThat(e.getErrorCode()).isEqualTo("400 Bad Request");
+            } else {
+                assertThat(e.getErrorCode()).isEqualTo("NoSuchKey");
+            }
+        }
+    }
+
+    @Test
+    public void testListRelativePath() throws Exception {
+        assumeTrue(!blobStoreType.equals("filesystem"));
+        try {
+            client.listObjects(new ListObjectsRequest()
+                    .withBucketName(containerName)
+                    .withPrefix("../evil/"));
+            if (blobStoreType.equals("filesystem") || blobStoreType.equals("filesystem-nio2") || blobStoreType.equals("transient-nio2")) {
+                Fail.failBecauseExceptionWasNotThrown(AmazonS3Exception.class);
+            }
+        } catch (AmazonS3Exception e) {
+            if (blobStoreType.equals("filesystem") || blobStoreType.equals("filesystem-nio2") || blobStoreType.equals("transient-nio2")) {
+                assertThat(e.getErrorCode()).isEqualTo("400 Bad Request");
+            } else {
+                throw e;
+            }
+        }
+    }
+
     private static final class NullX509TrustManager
             implements X509TrustManager {
         @Override
