resource-task: Use the shared IOUtils assertInPath method for resource lookups (#1204)

laurayco · web-flow · commit 444e836cf91e · 2025-08-15T08:28:58.000-04:00
diff --git a/plugins/tasks/resource/pom.xml b/plugins/tasks/resource/pom.xml
@@ -25,6 +25,16 @@
             <artifactId>concord-runtime-sdk-v2</artifactId>
             <scope>provided</scope>
         </dependency>
+        <dependency>
+            <groupId>com.walmartlabs.concord</groupId>
+            <artifactId>concord-common</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-compress</artifactId>
+            <scope>provided</scope>
+        </dependency>
         <dependency>
             <groupId>javax.inject</groupId>
             <artifactId>javax.inject</artifactId>
diff --git a/plugins/tasks/resource/src/main/java/com/walmartlabs/concord/plugins/resource/ResourceTaskCommon.java b/plugins/tasks/resource/src/main/java/com/walmartlabs/concord/plugins/resource/ResourceTaskCommon.java
@@ -33,12 +33,13 @@
 import java.io.OutputStream;
 import java.nio.file.Files;
 import java.nio.file.Path;
-import java.nio.file.Paths;
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Properties;
 
+import static com.walmartlabs.concord.common.IOUtils.assertInPath;
+
 public class ResourceTaskCommon {
 
     private static final String RESOURCE_PREFIX = "resource_";
@@ -233,25 +234,15 @@ public static String prettyPrintYaml(Object value, int indent) throws IOExceptio
     }
 
     private Path normalizePath(String path) {
-        Path p = Paths.get(path);
-        if (p.isAbsolute()) {
-            return p;
-        }
-        return workDir.resolve(path);
+        return assertWorkDirPath(path);
     }
 
     private Path assertWorkDirPath(String path) {
-        if (path == null) {
-            throw new IllegalArgumentException("Path cannot be null");
-        }
-        Path dst = Paths.get(path);
-        if (!dst.isAbsolute()) {
-            dst = workDir.resolve(path).normalize().toAbsolutePath();
-        }
-        if (!dst.startsWith(workDir)) {
-            throw new IllegalArgumentException("Invalid path: " + path);
+        try {
+            return assertInPath(workDir,path);
+        } catch (IOException ex) {
+            throw new IllegalArgumentException("Not authorized to access file outside of working directory: " + path);
         }
-        return dst;
     }
 
     private static ObjectWriter createYamlWriter() {
