Protect against bad paths and URLs

philwebb · philwebb · commit 4ad149e1e710 · 2021-02-18T16:23:56.000-08:00
See gh-21722
diff --git a/spring-boot-project/spring-boot-tools/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/build/BuildpackReference.java b/spring-boot-project/spring-boot-tools/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/build/BuildpackReference.java
@@ -53,11 +53,17 @@ Path asPath() {
 			if (url.getProtocol().equals("file")) {
 				return Paths.get(url.getPath());
 			}
+			return null;
 		}
 		catch (MalformedURLException ex) {
 			// not a URL, fall through to attempting to find a plain file path
 		}
-		return Paths.get(this.value);
+		try {
+			return Paths.get(this.value);
+		}
+		catch (Exception ex) {
+			return null;
+		}
 	}
 
 	@Override
diff --git a/spring-boot-project/spring-boot-tools/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/build/DirectoryBuildpack.java b/spring-boot-project/spring-boot-tools/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/build/DirectoryBuildpack.java
@@ -93,7 +93,7 @@ private void addLayerContent(Layout layout) throws IOException {
 	 */
 	static Buildpack resolve(BuildpackResolverContext context, BuildpackReference reference) {
 		Path path = reference.asPath();
-		if (Files.exists(path) && Files.isDirectory(path)) {
+		if (path != null && Files.exists(path) && Files.isDirectory(path)) {
 			return new DirectoryBuildpack(path);
 		}
 		return null;
diff --git a/spring-boot-project/spring-boot-tools/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/build/TarGzipBuildpack.java b/spring-boot-project/spring-boot-tools/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/build/TarGzipBuildpack.java
@@ -109,7 +109,7 @@ private void copyAndRebaseEntries(OutputStream outputStream) throws IOException
 	 */
 	static Buildpack resolve(BuildpackResolverContext context, BuildpackReference reference) {
 		Path path = reference.asPath();
-		if (Files.exists(path) && Files.isRegularFile(path)) {
+		if (path != null && Files.exists(path) && Files.isRegularFile(path)) {
 			return new TarGzipBuildpack(path);
 		}
 		return null;

Original file line number	Diff line number	Diff line change
`@@ -53,11 +53,17 @@ Path asPath() {`
`53`	`53`	`if (url.getProtocol().equals("file")) {`
`54`	`54`	`return Paths.get(url.getPath());`
`55`	`55`	`}`
	`56`	`+ return null;`
`56`	`57`	`}`
`57`	`58`	`catch (MalformedURLException ex) {`
`58`	`59`	`// not a URL, fall through to attempting to find a plain file path`
`59`	`60`	`}`
`60`		`- return Paths.get(this.value);`
	`61`	`+ try {`
	`62`	`+ return Paths.get(this.value);`
	`63`	`+ }`
	`64`	`+ catch (Exception ex) {`
	`65`	`+ return null;`
	`66`	`+ }`
`61`	`67`	`}`
`62`	`68`
`63`	`69`	`@Override`
Original file line number	Diff line number	Diff line change
`@@ -93,7 +93,7 @@ private void addLayerContent(Layout layout) throws IOException {`
`93`	`93`	`*/`
`94`	`94`	`static Buildpack resolve(BuildpackResolverContext context, BuildpackReference reference) {`
`95`	`95`	`Path path = reference.asPath();`
`96`		`- if (Files.exists(path) && Files.isDirectory(path)) {`
	`96`	`+ if (path != null && Files.exists(path) && Files.isDirectory(path)) {`
`97`	`97`	`return new DirectoryBuildpack(path);`
`98`	`98`	`}`
`99`	`99`	`return null;`
Original file line number	Diff line number	Diff line change
`@@ -109,7 +109,7 @@ private void copyAndRebaseEntries(OutputStream outputStream) throws IOException`
`109`	`109`	`*/`
`110`	`110`	`static Buildpack resolve(BuildpackResolverContext context, BuildpackReference reference) {`
`111`	`111`	`Path path = reference.asPath();`
`112`		`- if (Files.exists(path) && Files.isRegularFile(path)) {`
	`112`	`+ if (path != null && Files.exists(path) && Files.isRegularFile(path)) {`
`113`	`113`	`return new TarGzipBuildpack(path);`
`114`	`114`	`}`
`115`	`115`	`return null;`