honeymoose
/
org.hl7.fhir.core
mirror of https://github.com/hapifhir/org.hl7.fhir.core.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Start removing path.toFile()

This commit is contained in:
Grahame Grieve 2024-04-16 18:17:42 +10:00
parent 32296cfdb6
commit 99f40d18b5
3 changed files with 20 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/terminologies/TerminologyCacheManager.java
View File

@ -99,7 +99,7 @@ public class TerminologyCacheManager {
try (ZipInputStream zipIn = new ZipInputStream(is)) {
for (ZipEntry ze; (ze = zipIn.getNextEntry()) != null; ) {
Path path = Path.of(Utilities.path(targetDir, ze.getName())).normalize();
String pathString = path.toFile().getAbsolutePath();
String pathString = ManagedFileAccess.fromPath(path).getAbsolutePath();
if (!path.startsWith(Path.of(targetDir).normalize())) {
// see: https://snyk.io/research/zip-slip-vulnerability
throw new RuntimeException("Entry with an illegal path: " + ze.getName());

17
org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/filesystem/ManagedFileAccess.java
View File

@ -37,6 +37,7 @@ import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Path;
import java.util.ArrayList;
import java.util.List;
@ -205,4 +206,20 @@ public class ManagedFileAccess {
}
}
public static File fromPath(Path path) throws IOException {
switch (accessPolicy) {
case DIRECT:
if (!inAllowedPaths(path.toString())) {
throw new IOException("The pathname '"+path.toString()+"' cannot be accessed by policy");
}
return path.toFile();
case MANAGED:
return accessor.file(path.toString());
case PROHIBITED:
throw new IOException("Access to files is not allowed by local security policy");
default:
throw new IOException("Internal Error");
}
}
}

4
org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/tests/BaseTestingUtilities.java
View File

@ -120,9 +120,9 @@ public class BaseTestingUtilities {
public static void setFhirTestCasesDirectory(String s) {
}
public static void createParentDirIfNotExists(Path target) {
public static void createParentDirIfNotExists(Path target) throws IOException {
Path parent = target.getParent();
if (!parent.toFile().exists()) {
if (!ManagedFileAccess.fromPath(parent).exists()) {
parent.toFile().mkdirs();
}
}