From aff293337701a121801f7f0570f0aa40553c0d3f Mon Sep 17 00:00:00 2001
From: Jon Marius Venstad <venstad@gmail.com>
Date: Thu, 24 Mar 2022 14:06:09 +0100
Subject: Make application dir upper level

---
 .../src/main/java/com/yahoo/container/standalone/LocalFileDb.java     | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'standalone-container/src')

diff --git a/standalone-container/src/main/java/com/yahoo/container/standalone/LocalFileDb.java b/standalone-container/src/main/java/com/yahoo/container/standalone/LocalFileDb.java
index 285f0f60c3f..f755d988f28 100644
--- a/standalone-container/src/main/java/com/yahoo/container/standalone/LocalFileDb.java
+++ b/standalone-container/src/main/java/com/yahoo/container/standalone/LocalFileDb.java
@@ -52,6 +52,10 @@ public class LocalFileDb implements FileAcquirer, FileRegistry {
     @Override
     public FileReference addFile(String relativePath) {
         File file = appPath.resolve(relativePath).toFile();
+        Path relative = appPath.relativize(file.toPath()).normalize();
+        if (relative.isAbsolute() || relative.startsWith(".."))
+            throw new IllegalArgumentException(file + " is not a descendant of " + appPath);
+
         if (!file.exists()) {
             throw new RuntimeException("The file does not exist: " + file.getPath());
         }
-- 
cgit v1.2.3