Prevent path traversal attacks in run parameters

Mark Robinson · Mark Robinson · commit 40c6d35ed7e8 · 2017-03-08T20:02:16.000Z
diff --git a/src/main/java/org/commonwl/viewer/domain/CWLCollection.java b/src/main/java/org/commonwl/viewer/domain/CWLCollection.java
@@ -28,6 +28,7 @@
 import org.apache.commons.io.FilenameUtils;
 import org.commonwl.viewer.services.DockerService;
 import org.commonwl.viewer.services.GitHubService;
+import org.commonwl.viewer.web.PathTraversalException;
 import org.eclipse.egit.github.core.RepositoryContents;
 import org.yaml.snakeyaml.Yaml;
 
@@ -200,14 +201,16 @@ private String findMainWorkflow() {
 
         // Store the in degree of each workflow
         Map<String, Integer> inDegrees = new HashMap<String, Integer>();
-        for (String key : cwlDocs.keySet()) {
-            inDegrees.put(key, 0);
+        for (Map.Entry<String, JsonNode> doc : cwlDocs.entrySet()) {
+            if (doc.getValue().get(CLASS).asText().equals(WORKFLOW)) {
+                inDegrees.put(doc.getKey(), 0);
+            }
         }
 
         // Loop through documents and calculate in degrees
         for (Map.Entry<String, JsonNode> doc : cwlDocs.entrySet()) {
             JsonNode content = doc.getValue();
-            if (content.get(CLASS).asText().equals(WORKFLOW)) {
+            if (inDegrees.containsKey(doc.getKey())) {
                 // Parse workflow steps and see whether other workflows are run
                 JsonNode steps = content.get(STEPS);
                 if (steps.getClass() == ArrayNode.class) {
@@ -254,8 +257,9 @@ private String findMainWorkflow() {
     /**
      * Gets the Workflow object for this collection of documents
      * @return A Workflow object representing the main workflow amongst the files added
+     * @throws PathTraversalException If run path is outside the root Github directory
      */
-    public Workflow getWorkflow() {
+    public Workflow getWorkflow() throws PathTraversalException {
         // Get the main workflow
         if (mainWorkflowKey == null) {
             mainWorkflowKey = findMainWorkflow();
@@ -282,13 +286,28 @@ public Workflow getWorkflow() {
     /**
      * Fill the step runtypes based on types of other documents
      * @param workflow The workflow model to set runtypes for
+     * @throws PathTraversalException If run path is outside the root Github directory
      */
-    private void fillStepRunTypes(Workflow workflow) {
+    private void fillStepRunTypes(Workflow workflow) throws PathTraversalException {
         Map<String, CWLStep> steps = workflow.getSteps();
         for (CWLStep step : steps.values()) {
-            Path filePath = Paths.get(githubInfo.getPath()).resolve(step.getRun());
-            JsonNode runDoc = cwlDocs.get(filePath.toString());
-            step.setRunType(extractProcess(runDoc));
+            String runParam = step.getRun();
+            if (runParam != null) {
+                JsonNode runDoc;
+                if (runParam.startsWith("#")) {
+                    runDoc = cwlDocs.get(runParam.substring(1));
+                } else {
+                    Path basePath = Paths.get(githubInfo.getPath());
+                    Path filePath = basePath.resolve(runParam);
+                    if (!filePath.startsWith(basePath)) {
+                        throw new PathTraversalException("Step run parameter path '" + filePath +
+                                "' is outside base path '" + basePath + "'");
+                    }
+                    runDoc = cwlDocs.get(filePath.toString());
+                    step.setRunType(extractProcess(runDoc));
+                }
+                step.setRunType(extractProcess(runDoc));
+            }
         }
     }
 
diff --git a/src/main/java/org/commonwl/viewer/web/PathTraversalException.java b/src/main/java/org/commonwl/viewer/web/PathTraversalException.java
@@ -0,0 +1,29 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.commonwl.viewer.web;
+
+/**
+ * Exception thrown when a potential path traversal attempt was prevented
+ */
+public class PathTraversalException extends Exception {
+    public PathTraversalException(String message) {
+        super(message);
+    }
+}
