Fix for GHSL-2022-008 vulnerability.

kwwall · kwwall · commit a0d67b755938 · 2022-04-17T00:32:15.000-04:00
diff --git a/src/main/java/org/owasp/esapi/reference/DefaultValidator.java b/src/main/java/org/owasp/esapi/reference/DefaultValidator.java
@@ -466,7 +466,7 @@ public String getValidDirectoryPath(String context, String input, File parent, b
 			if ( !parent.isDirectory() ) {
 				throw new ValidationException( context + ": Invalid directory name", "Invalid directory, specified parent is not a directory: context=" + context + ", input=" + input + ", parent=" + parent );
 			}
-			if ( !dir.getCanonicalPath().startsWith(parent.getCanonicalPath() ) ) {
+			if ( !dir.getCanonicalFile().toPath().startsWith( parent.getCanonicalFile().toPath() ) ) { // Fixes GHSL-2022-008
 				throw new ValidationException( context + ": Invalid directory name", "Invalid directory, not inside specified parent: context=" + context + ", input=" + input + ", parent=" + parent );
 			}
 

Original file line number	Diff line number	Diff line change
`@@ -466,7 +466,7 @@ public String getValidDirectoryPath(String context, String input, File parent, b`
`466`	`466`	`if ( !parent.isDirectory() ) {`
`467`	`467`	`throw new ValidationException( context + ": Invalid directory name", "Invalid directory, specified parent is not a directory: context=" + context + ", input=" + input + ", parent=" + parent );`
`468`	`468`	`}`
`469`		`- if ( !dir.getCanonicalPath().startsWith(parent.getCanonicalPath() ) ) {`
	`469`	`+ if ( !dir.getCanonicalFile().toPath().startsWith( parent.getCanonicalFile().toPath() ) ) { // Fixes GHSL-2022-008`
`470`	`470`	`throw new ValidationException( context + ": Invalid directory name", "Invalid directory, not inside specified parent: context=" + context + ", input=" + input + ", parent=" + parent );`
`471`	`471`	`}`
`472`	`472`