Merge pull request #549 from fugerit-org/alert-autofix-114

Potential fix for code scanning alert no. 114: Uncontrolled data used in path expression

Author: fugerit79

fj-doc-maven-plugin/src/main/java/org/fugerit/java/doc/project/facade/FeatureFacade.java

@@ -11,6 +11,7 @@
 import org.fugerit.java.doc.project.facade.flavour.ProcessEntry;
 
 import java.io.*;
+import java.nio.file.Path;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -19,6 +20,18 @@ public class FeatureFacade {
 
     private FeatureFacade() {}
 
+    /**
+     * Checks that the given file is inside the baseFolder after normalization.
+     * Throws IOException if not.
+     */
+    public static void checkIfInBaseFolder(File baseFolder, File file) throws IOException {
+        Path base = baseFolder.getCanonicalFile().toPath().normalize();
+        Path target = file.getCanonicalFile().toPath().normalize();
+        if (!target.startsWith(base)) {
+            throw new IOException( String.format( "File path %s is not within permitted base folder %s", file.getCanonicalPath(), baseFolder.getCanonicalPath() ) );
+        }
+    }
+
     public static void copyFlavourList( File baseFolder, String actualFlavour ) throws IOException {
         copyResourcesList( baseFolder, "flavour", actualFlavour );
     }
@@ -37,16 +50,25 @@ private static void copyResourcesList( File baseFolder, String mode, String id )
         }
     }
 
-    protected static void insureParent( File file ) throws IOException {
+    public static void insureParent( File file ) throws IOException {
         File parentFile = file.getParentFile();
-        if ( !parentFile.exists() ) {
-            log.info( "creates parent directory {}, mkdirs:? {}", parentFile.getCanonicalPath(), parentFile.mkdirs() );
+        // Defensive: check parent is within project's root as well
+        if (parentFile != null) {
+            File baseFolder = file.getParentFile().getParentFile();
+            if (baseFolder != null) {
+                checkIfInBaseFolder(baseFolder, parentFile);
+            }
+            if ( !parentFile.exists() ) {
+                log.info( "creates parent directory {}, mkdirs:? {}", parentFile.getCanonicalPath(), parentFile.mkdirs() );
+            }
         }
     }
 
     protected static void copyFile(String path, File baseFolder, String basePath ) {
         SafeFunction.apply( () -> {
             File outputFile = new File( baseFolder, path );
+            // Validate that the output file is inside the intended base folder
+            checkIfInBaseFolder(baseFolder, outputFile);
             insureParent( outputFile );
             String fullPath = basePath+path;
             log.info( "copy path '{}' to file '{}'", fullPath, outputFile.getCanonicalPath() );

fj-doc-maven-plugin/src/test/java/test/org/fugerit/java/doc/project/facade/TestFeatureFacade.java

@@ -0,0 +1,46 @@
+package test.org.fugerit.java.doc.project.facade;
+
+import org.fugerit.java.doc.project.facade.FeatureFacade;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+
+import java.io.File;
+import java.io.IOException;
+
+class TestFeatureFacade {
+
+    @Test
+    void checkIfInBaseFolderTestOk() throws IOException {
+        File baseFolder = new File( "." );
+        File file = new File( "pom.xml" );
+        FeatureFacade.checkIfInBaseFolder( baseFolder, file );
+        Assertions.assertTrue( file.exists() );
+    }
+
+    @Test
+    void checkIfInBaseFolderTestKo() {
+        File baseFolder = new File( "fj-doc-base" );
+        File file = new File( "pom.xml" );
+        Assertions.assertThrows( IOException.class, () -> FeatureFacade.checkIfInBaseFolder( baseFolder, file ) );
+    }
+
+    @Test
+    void insureParentTestNull1() throws IOException {
+        File root = File.listRoots()[0];
+        FeatureFacade.insureParent( root );
+        Assertions.assertTrue( root.exists() );
+    }
+
+    @Test
+    void insureParentTestNull2() throws IOException {
+        File root = File.listRoots()[0];
+        if ( root != null ) {
+            File[] list = root.listFiles();
+            if ( list != null && list.length > 0 ) {
+                FeatureFacade.insureParent( list[0] );
+                Assertions.assertTrue( root.exists() );
+            }
+        }
+    }
+
+}