diff options
author | Jon Marius Venstad <venstad@gmail.com> | 2022-03-23 16:29:08 +0100 |
---|---|---|
committer | Jon Marius Venstad <venstad@gmail.com> | 2022-03-23 16:29:08 +0100 |
commit | 26eda5b8678a5cf2594338e9e5670d786c9d810a (patch) | |
tree | 4f900d9e0dc14fce4d4d5464b064f5fda7fd56a3 | |
parent | 54329a8946debe301d2036397bc4a9d47764555f (diff) |
Fix rest path usage
2 files changed, 10 insertions, 0 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiHandler.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiHandler.java index 246f3fff17e..d9a38a5b578 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiHandler.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiHandler.java @@ -1883,6 +1883,13 @@ public class ApplicationApiHandler extends AuditLoggingRequestHandler { private HttpResponse content(String tenantName, String applicationName, String instanceName, String environment, String region, String restPath, HttpRequest request) { DeploymentId deploymentId = new DeploymentId(ApplicationId.from(tenantName, applicationName, instanceName), requireZone(environment, region)); + + String normalizedRestPath = URI.create("content/" + restPath).normalize().toString(); + // Only content/ is allowed + if ( ! normalizedRestPath.startsWith("content/")) { + return ErrorResponse.forbidden("Access denied"); + } + return controller.serviceRegistry().configServer().getApplicationPackageContent(deploymentId, "/" + restPath, request.getUri()); } diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java index 8ab43f15c89..f94f87b0f46 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java @@ -500,6 +500,9 @@ public class ApplicationApiTest extends ControllerContainerTest { .userIdentity(USER_ID), "INFO - All good"); + // Get content/../foo + tester.assertResponse(request("/application/v4/tenant/tenant2/application/application1/instance/default/environment/dev/region/us-east-1/content/%2E%2E%2Ffoo", GET).userIdentity(USER_ID), + "{\"error-code\":\"FORBIDDEN\",\"message\":\"Access denied\"}", 403); // Get content - root tester.assertResponse(request("/application/v4/tenant/tenant2/application/application1/instance/default/environment/dev/region/us-east-1/content/", GET).userIdentity(USER_ID), "{\"path\":\"/\"}"); |