Make application dir upper level

author: Jon Marius Venstad <venstad@gmail.com> 2022-03-24 14:06:09 +0100
committer: Jon Marius Venstad <venstad@gmail.com> 2022-03-24 14:06:09 +0100
commit: aff293337701a121801f7f0570f0aa40553c0d3f (patch)
tree: b1347b6fc2bfa4c8fab0506561688c3870a166ec /standalone-container
parent: 04927f9142d5582d79757b9b66e2924f7d84dd93 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/standalone-container/src/main/java/com/yahoo/container/standalone/LocalFileDb.java b/standalone-container/src/main/java/com/yahoo/container/standalone/LocalFileDb.java
index 285f0f60c3f..f755d988f28 100644
--- a/standalone-container/src/main/java/com/yahoo/container/standalone/LocalFileDb.java
+++ b/standalone-container/src/main/java/com/yahoo/container/standalone/LocalFileDb.java
@@ -52,6 +52,10 @@ public class LocalFileDb implements FileAcquirer, FileRegistry {
     @Override
     public FileReference addFile(String relativePath) {
         File file = appPath.resolve(relativePath).toFile();
+        Path relative = appPath.relativize(file.toPath()).normalize();
+        if (relative.isAbsolute() || relative.startsWith(".."))
+            throw new IllegalArgumentException(file + " is not a descendant of " + appPath);
+
         if (!file.exists()) {
             throw new RuntimeException("The file does not exist: " + file.getPath());
         }
author	Jon Marius Venstad <venstad@gmail.com>	2022-03-24 14:06:09 +0100
committer	Jon Marius Venstad <venstad@gmail.com>	2022-03-24 14:06:09 +0100
commit	aff293337701a121801f7f0570f0aa40553c0d3f (patch)
tree	b1347b6fc2bfa4c8fab0506561688c3870a166ec /standalone-container
parent	04927f9142d5582d79757b9b66e2924f7d84dd93 (diff)