464556 - Restrict start module downloads to ${jetty.base} paths only

+ Restrict [files] section references (download/uri/maven) to output only in ${jetty.base} tree
2025-03-01 03:19:13 +00:00 · 2015-04-13 16:46:46 -07:00 · 2015-04-13 16:46:46 -07:00 · 0e2b1856b5
commit 0e2b1856b5
parent cea577bd17
3 changed files with 11 additions and 1 deletions
--- a/jetty-start/src/main/java/org/eclipse/jetty/start/BaseBuilder.java
+++ b/jetty-start/src/main/java/org/eclipse/jetty/start/BaseBuilder.java
@ -251,6 +251,11 @@ public class BaseBuilder
    {
        if (startArgs.isDownload() && (arg.uri != null))
        {
+            if (!file.startsWith(baseHome.getBasePath()))
+            {
+                throw new IOException("For security reasons, Jetty start is unable to process file resource not in ${jetty.base} - " + file);
+            }
+            
            URI uri = URI.create(arg.uri);

            // Process via initializers
--- a/jetty-start/src/main/java/org/eclipse/jetty/start/BaseHome.java
+++ b/jetty-start/src/main/java/org/eclipse/jetty/start/BaseHome.java
@ -200,7 +200,7 @@ public class BaseHome
     */
    public Path getBasePath(String path)
    {
-        return baseDir.resolve(path);
+        return baseDir.resolve(path).normalize().toAbsolutePath();
    }

    public ConfigSources getConfigSources()
--- a/jetty-start/src/main/java/org/eclipse/jetty/start/fileinits/MavenLocalRepoFileInitializer.java
+++ b/jetty-start/src/main/java/org/eclipse/jetty/start/fileinits/MavenLocalRepoFileInitializer.java
@ -108,6 +108,11 @@ public class MavenLocalRepoFileInitializer extends UriFileInitializer implements
            return true;
        }

+        if (!file.startsWith(baseHome.getBasePath()))
+        {
+            throw new IOException("For security reasons, Jetty start is unable to process maven file resource not in ${jetty.base} - " + file);
+        }
+        
        // If using local repository
        if (this.localRepositoryDir != null)
        {