7 files changed, 27 insertions, 1 deletions

diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/filedistribution/ApplicationFileManager.java b/configserver/src/main/java/com/yahoo/vespa/config/server/filedistribution/ApplicationFileManager.java
index 35295ef357f..ad47f2b9e95 100644
--- a/configserver/src/main/java/com/yahoo/vespa/config/server/filedistribution/ApplicationFileManager.java
+++ b/configserver/src/main/java/com/yahoo/vespa/config/server/filedistribution/ApplicationFileManager.java
@@ -32,7 +32,15 @@ public class ApplicationFileManager implements AddFileInterface {
 
     @Override
     public FileReference addFile(String relativePath) throws IOException {
-        return fileDirectory.addFile(new File(applicationDir, relativePath));
+        Path path = Path.of(relativePath).normalize();
+        if (path.isAbsolute())
+            throw new IllegalArgumentException(relativePath + " is not relative");
+        File file = new File(applicationDir, relativePath);
+        Path relative = applicationDir.toPath().relativize(file.toPath()).normalize();
+        if (relative.isAbsolute() || relative.startsWith(".."))
+            throw new IllegalArgumentException(file + " is not a descendant of " + applicationDir);
+
+        return fileDirectory.addFile(file);
     }
 
     @Override
diff --git a/configserver/src/test/java/com/yahoo/vespa/config/server/filedistribution/FileDBRegistryTestCase.java b/configserver/src/test/java/com/yahoo/vespa/config/server/filedistribution/FileDBRegistryTestCase.java
index c322990b8d1..cdb01f2013b 100644
--- a/configserver/src/test/java/com/yahoo/vespa/config/server/filedistribution/FileDBRegistryTestCase.java
+++ b/configserver/src/test/java/com/yahoo/vespa/config/server/filedistribution/FileDBRegistryTestCase.java
@@ -25,6 +25,8 @@ public class FileDBRegistryTestCase {
     private static final String APP = "src/test/apps/zkapp";
     private static final String FOO_FILE = "files/foo.json";
     private static final String NO_FOO_FILE = "files/no_foo.json";
+    private static final String BOO_FILE = "/files/no_foo.json";
+    private static final String BAR_FILE = "../files/no_foo.json";
     private static final String BLOB_NAME = "myblob.name";
     private static final FileReference BLOB_REF = new FileReference("12f292a25163dd9");
     private static final FileReference FOO_REF = new FileReference("b5ce94ca1feae86c");
@@ -42,6 +44,18 @@ public class FileDBRegistryTestCase {
         } catch (IllegalArgumentException e) {
             assertEquals("src/test/apps/zkapp/files/no_foo.json (No such file or directory)", e.getCause().getMessage());
         }
+        try {
+            fileRegistry.addFile(BOO_FILE);
+            fail();
+        } catch (IllegalArgumentException e) {
+            assertEquals("/files/no_foo.json is not relative", e.getMessage());
+        }
+        try {
+            fileRegistry.addFile(BAR_FILE);
+            fail();
+        } catch (IllegalArgumentException e) {
+            assertEquals("src/test/apps/zkapp/../files/no_foo.json is not a descendant of src/test/apps/zkapp", e.getMessage());
+        }
         assertEquals(BLOB_REF, fileRegistry.addBlob(BLOB_NAME, ByteBuffer.wrap(BLOB.getBytes(StandardCharsets.UTF_8))));
         String serializedRegistry = FileDBRegistry.exportRegistry(fileRegistry);
 
diff --git a/controller-server/src/test/resources/application-packages/changed-deployment-xml.zip b/controller-server/src/test/resources/application-packages/changed-deployment-xml.zip
index 05e75f1d24a..e4ec61c50ab 100644
--- a/controller-server/src/test/resources/application-packages/changed-deployment-xml.zip
+++ b/controller-server/src/test/resources/application-packages/changed-deployment-xml.zip
diff --git a/controller-server/src/test/resources/application-packages/changed-services-xml.zip b/controller-server/src/test/resources/application-packages/changed-services-xml.zip
index 3051d27836a..daaa1bd9e3c 100644
--- a/controller-server/src/test/resources/application-packages/changed-services-xml.zip
+++ b/controller-server/src/test/resources/application-packages/changed-services-xml.zip
diff --git a/controller-server/src/test/resources/application-packages/original.zip b/controller-server/src/test/resources/application-packages/original.zip
index 4cf2ffa7c46..3963527a6cd 100644
--- a/controller-server/src/test/resources/application-packages/original.zip
+++ b/controller-server/src/test/resources/application-packages/original.zip
diff --git a/controller-server/src/test/resources/application-packages/similar-deployment-xml.zip b/controller-server/src/test/resources/application-packages/similar-deployment-xml.zip
index 72b7c7cb327..4075ee08ce3 100644
--- a/controller-server/src/test/resources/application-packages/similar-deployment-xml.zip
+++ b/controller-server/src/test/resources/application-packages/similar-deployment-xml.zip
diff --git a/standalone-container/src/main/java/com/yahoo/container/standalone/LocalFileDb.java b/standalone-container/src/main/java/com/yahoo/container/standalone/LocalFileDb.java
index 285f0f60c3f..f755d988f28 100644
--- a/standalone-container/src/main/java/com/yahoo/container/standalone/LocalFileDb.java
+++ b/standalone-container/src/main/java/com/yahoo/container/standalone/LocalFileDb.java
@@ -52,6 +52,10 @@ public class LocalFileDb implements FileAcquirer, FileRegistry {
     @Override
     public FileReference addFile(String relativePath) {
         File file = appPath.resolve(relativePath).toFile();
+        Path relative = appPath.relativize(file.toPath()).normalize();
+        if (relative.isAbsolute() || relative.startsWith(".."))
+            throw new IllegalArgumentException(file + " is not a descendant of " + appPath);
+
         if (!file.exists()) {
             throw new RuntimeException("The file does not exist: " + file.getPath());
         }