Validate filepath and filename to prevent path traversal (#1604)

Validate filepath and filename to prevent path traversal in modification command and provide validations for editor plugin. Co-authored-by: René Pfeuffer <rene.pfeuffer@cloudogu.com>
2026-03-06 04:10:52 +01:00 · 2021-03-25 12:50:24 +01:00
parent 08549a37b1
commit d94ebb2e3e
12 changed files with 169 additions and 11 deletions
--- a/scm-plugins/scm-hg-plugin/src/main/java/sonia/scm/repository/spi/HgModifyCommand.java
+++ b/scm-plugins/scm-hg-plugin/src/main/java/sonia/scm/repository/spi/HgModifyCommand.java
@@ -93,6 +93,11 @@ public class HgModifyCommand extends AbstractWorkingCopyCommand implements Modif
              private void addFileToHg(File file) {
                workingRepository.workingCopy().add(file.getAbsolutePath());
              }
+
+              @Override
+              public boolean isProtectedPath(Path path) {
+                return path.startsWith(workingRepository.getDirectory().toPath().normalize().resolve(".hg"));
+              }
            });
          } catch (IOException e) {
            throwInternalRepositoryException("could not execute command on repository", e);