GHSA-82j3-hf72-7x93 Make Location a bit safer to use out-of-the-box by immediately sanitazing invalid symbols

dzikoysk · dzikoysk · commit e172ae4b539c · 2024-05-03T18:05:21.000+02:00
diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties
@@ -1,5 +1,5 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.6-all.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.7-all.zip
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
diff --git a/reposilite-backend/src/main/kotlin/com/reposilite/frontend/infrastructure/FrontendHandler.kt b/reposilite-backend/src/main/kotlin/com/reposilite/frontend/infrastructure/FrontendHandler.kt
@@ -27,19 +27,18 @@ import com.reposilite.storage.getSimpleName
 import com.reposilite.storage.inputStream
 import com.reposilite.web.api.ReposiliteRoute
 import com.reposilite.web.api.ReposiliteRoutes
-import io.javalin.community.routing.Route
 import io.javalin.community.routing.Route.GET
 import io.javalin.http.ContentType
 import io.javalin.http.Context
 import io.javalin.http.HttpStatus.INTERNAL_SERVER_ERROR
-import panda.std.Result
-import panda.std.asSuccess
 import java.io.InputStream
 import java.nio.charset.StandardCharsets.UTF_8
 import java.nio.file.Files
 import java.nio.file.Path
 import kotlin.io.path.isDirectory
 import kotlin.streams.asSequence
+import panda.std.Result
+import panda.std.asSuccess
 
 internal sealed class FrontendHandler(private val frontendFacade: FrontendFacade) : ReposiliteRoutes() {
 
diff --git a/reposilite-backend/src/main/kotlin/com/reposilite/storage/api/Location.kt b/reposilite-backend/src/main/kotlin/com/reposilite/storage/api/Location.kt
@@ -17,49 +17,54 @@
 package com.reposilite.storage.api
 
 import com.reposilite.storage.getExtension
+import java.nio.file.Path
+import java.nio.file.Paths
 import panda.std.Result
 import panda.std.asSuccess
 import panda.std.letIf
-import java.nio.file.Path
-import java.nio.file.Paths
 
 /**
  * [Path] alternative, represents location of resource in [com.reposilite.storage.StorageProvider]
  */
-@Suppress("DataClassPrivateConstructor")
-data class Location private constructor(private val uri: String) {
+class Location private constructor(private val uri: String) {
 
     companion object {
 
+        private val empty = Location("")
         private val multipleSlashes = Regex("/+")
+        private val multipleDirectoryOperators = Regex("\\.{2,}")
 
         @JvmStatic
-        fun of(uri: String): Location =
-            uri.replace("\\", "/")
+        fun of(uri: String): Location {
+            return uri
+                .replaceBefore(":", "")
+                .replace(":", "")
+                .replace(multipleDirectoryOperators, ".")
+                .replace("\\", "/")
                 .replace(multipleSlashes, "/")
                 .letIf({ it.startsWith("/") }) { it.removePrefix("/") }
                 .letIf({ it.endsWith("/") }) { it.removeSuffix("/") }
                 .let { Location(it) }
+        }
 
         @JvmStatic
         fun of(path: Path): Location =
-            path.toString().toLocation()
+            of(path.normalize().toString())
 
         @JvmStatic
         fun of(root: Path, path: Path): Location =
-            of(root.relativize(path))
+            of(root.relativize(path.normalize()))
 
         @JvmStatic
         fun empty(): Location =
-            "".toLocation()
+            empty
 
     }
 
     fun toPath(): Result<Path, String> {
-        if (uri.contains("..") || uri.contains(":") || uri.contains("\\")) {
+        if (uri.contains(":") || uri.contains("\\") || uri.contains(multipleDirectoryOperators)) {
             return Result.error("Illegal path operator in URI")
         }
-
         return Paths.get(uri).normalize().asSuccess()
     }
 
@@ -99,13 +104,23 @@ data class Location private constructor(private val uri: String) {
     fun getSimpleName(): String =
         uri.substringAfterLast("/")
 
+    override fun equals(other: Any?): Boolean =
+        when {
+            this === other -> true
+            javaClass != other?.javaClass -> false
+            else -> uri == (other as Location).uri
+        }
+
+    override fun hashCode(): Int =
+        uri.hashCode()
+
     override fun toString(): String =
         uri
 
 }
 
 fun String?.toLocation(): Location =
-    if (this != null)
-        Location.of(this)
-    else
-        Location.empty()
+    when {
+        this != null -> Location.of(this)
+        else -> Location.empty()
+    }
diff --git a/reposilite-backend/src/main/kotlin/com/reposilite/token/infrastructure/RouteCommands.kt b/reposilite-backend/src/main/kotlin/com/reposilite/token/infrastructure/RouteCommands.kt
@@ -55,7 +55,7 @@ internal class RouteAdd(private val accessTokenFacade: AccessTokenFacade) : Repo
                 val mappedPermissions = mapPermissions() ?: let {
                     context.status = FAILED
                     context.append("Unknown permission shortcuts (${permissions.toCharArray().joinToString()})")
-                    context.append("Available options (${RoutePermission.values().joinToString { perm -> perm.shortcut }})")
+                    context.append("Available options (${RoutePermission.entries.joinToString { perm -> perm.shortcut }})")
                     return
                 }
 
@@ -89,7 +89,7 @@ internal class RouteRemove(private val accessTokenFacade: AccessTokenFacade) : R
     override fun execute(context: CommandContext) {
         accessTokenFacade.getAccessToken(name)
             ?.also { token ->
-                RoutePermission.values().forEach { accessTokenFacade.deleteRoute(token.identifier, Route(path, it)) }
+                RoutePermission.entries.forEach { accessTokenFacade.deleteRoute(token.identifier, Route(path, it)) }
                 context.append("Routes of token $name has been updated")
             }
             ?: run {
diff --git a/reposilite-backend/src/test/kotlin/com/reposilite/SharedSpecification.kt b/reposilite-backend/src/test/kotlin/com/reposilite/SharedSpecification.kt
@@ -23,5 +23,5 @@ internal fun assertCollectionsEquals(actual: Collection<Any?>, expected: Collect
         return
     }
 
-    assertThat(actual.sortedBy { it.toString() }).isEqualTo(expected.sortedBy { it.toString() }) // pretty printing
+    assertThat(actual.sortedBy { it.toString() }).containsExactlyElementsOf(expected.sortedBy { it.toString() }) // pretty printing
 }
diff --git a/reposilite-backend/src/test/kotlin/com/reposilite/storage/LocationTest.kt b/reposilite-backend/src/test/kotlin/com/reposilite/storage/LocationTest.kt
@@ -17,9 +17,10 @@
 package com.reposilite.storage
 
 import com.reposilite.storage.api.Location
+import java.io.File
+import java.nio.file.Path
 import org.assertj.core.api.Assertions.assertThat
 import org.junit.jupiter.api.Test
-import panda.std.ResultAssertions.assertError
 
 class LocationTest {
 
@@ -33,9 +34,10 @@ class LocationTest {
     }
 
     @Test
-    fun `should drop corrupted paths`() {
-        assertError(Location.of("../artifact").toPath())
-        assertError(Location.of("C:/artifact").toPath())
+    fun `should normalize corrupted paths`() {
+        assertThat(Location.of(Path.of("../../artifact")).toPath().get().toString()).isEqualTo("artifact")
+        assertThat(Location.of(Path.of("C:/artifact")).toPath().get().toString()).isEqualTo("artifact")
+        assertThat(Location.of("artifact").resolve("../../root").toPath().get().toString()).isEqualTo("artifact" + File.separator + "root")
     }
 
 }

Original file line number	Diff line number	Diff line change
`@@ -23,5 +23,5 @@ internal fun assertCollectionsEquals(actual: Collection<Any?>, expected: Collect`
`23`	`23`	`return`
`24`	`24`	`}`
`25`	`25`
`26`		`- assertThat(actual.sortedBy { it.toString() }).isEqualTo(expected.sortedBy { it.toString() }) // pretty printing`
	`26`	`+ assertThat(actual.sortedBy { it.toString() }).containsExactlyElementsOf(expected.sortedBy { it.toString() }) // pretty printing`
`27`	`27`	`}`