Skip to content

CAMEL-23868: camel-file - make local work directory / starting directory containment checks path-boundary aware#24377

Open
oscerd wants to merge 1 commit into
apache:mainfrom
oscerd:fix/CAMEL-23868
Open

CAMEL-23868: camel-file - make local work directory / starting directory containment checks path-boundary aware#24377
oscerd wants to merge 1 commit into
apache:mainfrom
oscerd:fix/CAMEL-23868

Conversation

@oscerd

@oscerd oscerd commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

What

GenericFileHelper.jailToLocalWorkDirectory (added in CAMEL-23765 to keep remote-file
localWorkDirectory downloads inside the configured work directory) and
GenericFileProducer.jailedCheck (the jailStartingDirectory producer check) both decided
containment with a bare String.startsWith prefix test.

A bare prefix test ignores path-segment boundaries. When the compacted directory string has no
trailing separator — which is what jailToLocalWorkDirectory gets from File.getPath() — a
sibling directory whose name merely extends the configured directory's name (for example
.../localwork vs .../localworkEVIL) also satisfies the prefix and is wrongly treated as
contained. jailedCheck avoids this today only incidentally, because the producer always hands it
a baseDir that carries a trailing separator.

Change

  • Add a shared, boundary-aware GenericFileHelper.isWithinDirectory(compactTarget, compactDir) and
    route both containment checks through it, so the two can no longer drift apart.
  • The helper compares on path-segment boundaries (equals, or startsWith(dir + File.separator)),
    tolerates a trailing separator on the directory (the producer supplies one), and treats an empty
    directory as "no boundary" — preserving the existing behaviour for all legitimate cases.

Tests

  • GenericFileHelperTest: a name-prefixed sibling (../localworkEVIL/...) is now rejected, and a
    new test locks the shared helper's boundary, trailing-separator and empty-directory behaviour.

Continues the containment work from CAMEL-23765.

Issue: https://issues.apache.org/jira/browse/CAMEL-23868

Claude Code on behalf of Andrea Cosentino

🤖 Generated with Claude Code

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

🌟 Thank you for your contribution to the Apache Camel project! 🌟
🤖 CI automation will test this PR automatically.

🐫 Apache Camel Committers, please review the following items:

  • First-time contributors require MANUAL approval for the GitHub Actions to run
  • You can use the command /component-test (camel-)component-name1 (camel-)component-name2.. to request a test from the test bot although they are normally detected and executed by CI.
  • You can label PRs using skip-tests and test-dependents to fine-tune the checks executed by this PR.
  • Build and test logs are available in the summary page. Only Apache Camel committers have access to the summary.

⚠️ Be careful when sharing logs. Review their contents before sharing them publicly.

@oscerd oscerd requested review from Croway and davsclaus July 2, 2026 08:24

@davsclaus davsclaus left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed against the project's contribution rules and conventions.

Correctness — the fix is sound:

  • The new isWithinDirectory correctly handles: exact match, child paths via startsWith(dir + File.separator), trailing separators on the directory, and empty directory (no boundary).
  • Both call sites (jailToLocalWorkDirectory and jailedCheck) route through the same helper, eliminating the prior risk of the two checks drifting apart.
  • FileUtil.compactPath normalises separators before the comparison reaches isWithinDirectory, so mixed-separator edge cases are handled.

Tests — adequate:

  • The new isWithinDirectoryRespectsPathBoundaries test covers exact match, children, trailing separator tolerance, name-prefix sibling rejection, and empty directory — good boundary coverage.
  • The existing shouldRejectFilesEscapingLocalWorkDirectory test gets an additional assertion for the localworkEVIL sibling scenario, locking the fix at the integration level.

Project conventions — all met:

  • Commit message follows CAMEL-23868: <description> format.
  • JIRA issue linked in PR body.
  • AI attribution present.
  • Single commit, focused scope, no unrelated changes.

Prior history — no conflicts:

  • jailToLocalWorkDirectory was introduced in CAMEL-23765 by the same author. This PR is a direct continuation fixing a gap identified in that work.
  • jailedCheck in GenericFileProducer was incidentally safe because the producer always appends a trailing separator to baseDir — but that's fragile. Routing through the shared helper is the right fix.

This review was generated by an AI agent and may contain inaccuracies. Please verify all suggestions before applying.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

🧪 CI tested the following changed modules:

  • components/camel-file

ℹ️ Dependent modules were not tested because the total number of affected modules exceeded the threshold (50). Use the test-dependents label to force testing all dependents.


🔬 Scalpel shadow comparison — Scalpel: 472 tested, 29 compile-only — current: 472 all tested

Maveniverse Scalpel detected 501 affected modules (current approach: 472).

⚠️ Modules only in Scalpel (29)
  • apache-camel
  • camel-allcomponents
  • camel-catalog
  • camel-catalog-console
  • camel-catalog-lucene
  • camel-catalog-maven
  • camel-catalog-suggest
  • camel-componentdsl
  • camel-csimple-maven-plugin
  • camel-endpointdsl
  • camel-endpointdsl-support
  • camel-itest
  • camel-jbang-core
  • camel-jbang-it
  • camel-jbang-main
  • camel-jbang-plugin-edit
  • camel-jbang-plugin-generate
  • camel-jbang-plugin-kubernetes
  • camel-jbang-plugin-test
  • camel-kamelet-main
  • camel-launcher
  • camel-report-maven-plugin
  • camel-route-parser
  • camel-yaml-dsl
  • camel-yaml-dsl-deserializers
  • camel-yaml-dsl-maven-plugin
  • coverage
  • docs
  • dummy-component

Skip-tests mode would test 472 modules (1 direct + 471 downstream), skip tests for 29 (generated code, meta-modules)

Modules Scalpel would test (472)
  • archetypes
  • camel-a2a
  • camel-activemq
  • camel-activemq6
  • camel-amqp
  • camel-api-component-maven-plugin
  • camel-arangodb
  • camel-archetype-api-component
  • camel-archetype-component
  • camel-archetype-dataformat
  • camel-archetype-java
  • camel-archetype-main
  • camel-archetype-spring
  • camel-as2
  • camel-as2-api
  • camel-asn1
  • camel-asterisk
  • camel-atmosphere-websocket
  • camel-atom
  • camel-attachments
  • camel-avro
  • camel-avro-rpc
  • camel-aws-bedrock
  • camel-aws-cloudtrail
  • camel-aws-config
  • camel-aws-parameter-store
  • camel-aws-secrets-manager
  • camel-aws-security-hub
  • camel-aws2-athena
  • camel-aws2-comprehend
  • camel-aws2-cw
  • camel-aws2-ddb
  • camel-aws2-ec2
  • camel-aws2-ecs
  • camel-aws2-eks
  • camel-aws2-eventbridge
  • camel-aws2-iam
  • camel-aws2-kinesis
  • camel-aws2-kms
  • camel-aws2-lambda
  • camel-aws2-mq
  • camel-aws2-msk
  • camel-aws2-polly
  • camel-aws2-redshift
  • camel-aws2-rekognition
  • camel-aws2-s3
  • camel-aws2-s3-vectors
  • camel-aws2-ses
  • camel-aws2-sns
  • camel-aws2-sqs
  • camel-aws2-step-functions
  • camel-aws2-sts
  • camel-aws2-textract
  • camel-aws2-timestream
  • camel-aws2-transcribe
  • camel-aws2-translate
  • camel-azure-cosmosdb
  • camel-azure-eventgrid
  • camel-azure-eventhubs
  • camel-azure-files
  • camel-azure-functions
  • camel-azure-key-vault
  • camel-azure-schema-registry
  • camel-azure-servicebus
  • camel-azure-storage-blob
  • camel-azure-storage-datalake
  • camel-azure-storage-queue
  • camel-barcode
  • camel-base64
  • camel-bean-validator
  • camel-beanio
  • camel-bindy
  • camel-bonita
  • camel-box
  • camel-braintree
  • camel-caffeine
  • camel-camunda
  • camel-cassandraql
  • camel-cbor
  • camel-chatscript
  • camel-chunk
  • camel-cli-connector
  • camel-cli-debug
  • camel-clickup
  • camel-cloudevents
  • camel-cm-sms
  • camel-coap
  • camel-cometd
  • camel-console
  • camel-consul
  • camel-core
  • camel-core-all
  • camel-couchbase
  • camel-couchdb
  • camel-cron
  • camel-crypto
  • camel-crypto-pgp
  • camel-csimple-joor
  • camel-csv
  • camel-cxf-common
  • camel-cxf-rest
  • camel-cxf-soap
  • camel-cxf-spring-common
  • camel-cxf-spring-rest
  • camel-cxf-spring-soap
  • camel-cxf-spring-transport
  • camel-cxf-transport
  • camel-cyberark-vault
  • camel-dapr
  • camel-datasonnet
  • camel-debezium-common
  • camel-debezium-db2
  • camel-debezium-maven-plugin
  • camel-debezium-mongodb
  • camel-debezium-mysql
  • camel-debezium-oracle
  • camel-debezium-postgres
  • camel-debezium-sqlserver
  • camel-debug
  • camel-dfdl
  • camel-dhis2
  • camel-dhis2-api
  • camel-dhis2-parent
  • camel-diagram
  • camel-digitalocean
  • camel-disruptor
  • camel-djl
  • camel-dns
  • camel-docker
  • camel-docling
  • camel-drill
  • camel-dropbox
  • camel-dsl-modeline
  • camel-dynamic-router
  • camel-ehcache
  • camel-elasticsearch
  • camel-elasticsearch-rest-client
  • camel-event
  • camel-exec
  • camel-fastjson
  • camel-fhir
  • camel-file
  • camel-file-watch
  • camel-flatpack
  • camel-flink
  • camel-flowable
  • camel-fop
  • camel-fory
  • camel-freemarker
  • camel-ftp
  • camel-ftp-common
  • camel-geocoder
  • camel-git
  • camel-github2
  • camel-google-bigquery
  • camel-google-calendar
  • camel-google-common
  • camel-google-drive
  • camel-google-firestore
  • camel-google-functions
  • camel-google-mail
  • camel-google-pubsub
  • camel-google-secret-manager
  • camel-google-sheets
  • camel-google-speech-to-text
  • camel-google-storage
  • camel-google-text-to-speech
  • camel-google-vertexai
  • camel-google-vision
  • camel-graphql
  • camel-grok
  • camel-groovy
  • camel-grpc
  • camel-gson
  • camel-hashicorp-vault
  • camel-hazelcast
  • camel-headersmap
  • camel-hl7
  • camel-http
  • camel-http-base
  • camel-http-common
  • camel-huaweicloud-dms
  • camel-huaweicloud-frs
  • camel-huaweicloud-functiongraph
  • camel-huaweicloud-iam
  • camel-huaweicloud-imagerecognition
  • camel-huaweicloud-obs
  • camel-huaweicloud-smn
  • camel-huggingface
  • camel-ibm-cos
  • camel-ibm-secrets-manager
  • camel-ibm-watson-discovery
  • camel-ibm-watson-language
  • camel-ibm-watson-speech-to-text
  • camel-ibm-watson-text-to-speech
  • camel-ibm-watsonx-ai
  • camel-ibm-watsonx-data
  • camel-ical
  • camel-iec60870
  • camel-iggy
  • camel-ignite
  • camel-infinispan
  • camel-infinispan-common
  • camel-infinispan-embedded
  • camel-influxdb
  • camel-influxdb2
  • camel-irc
  • camel-ironmq
  • camel-iso8583
  • camel-jackson
  • camel-jackson-avro
  • camel-jackson-protobuf
  • camel-jackson3
  • camel-jackson3-avro
  • camel-jackson3-protobuf
  • camel-jackson3xml
  • camel-jacksonxml
  • camel-jandex
  • camel-jasypt
  • camel-java-joor-dsl
  • camel-javascript
  • camel-jaxb
  • camel-jbang-console
  • camel-jbang-mcp
  • camel-jbang-plugin-mcp
  • camel-jbang-plugin-route-parser
  • camel-jbang-plugin-tui
  • camel-jbang-plugin-validate
  • camel-jcache
  • camel-jcr
  • camel-jdbc
  • camel-jetty
  • camel-jetty-common
  • camel-jfr
  • camel-jgroups
  • camel-jgroups-raft
  • camel-jira
  • camel-jms
  • camel-jmx
  • camel-jolt
  • camel-jooq
  • camel-joor
  • camel-jpa
  • camel-jq
  • camel-jsch
  • camel-jslt
  • camel-json-patch
  • camel-json-validator
  • camel-jsonapi
  • camel-jsonata
  • camel-jsonb
  • camel-jsonpath
  • camel-jsoup
  • camel-jt400
  • camel-jta
  • camel-jte
  • camel-kafka
  • camel-kamelet
  • camel-kamelet-main-support
  • camel-keycloak
  • camel-knative
  • camel-knative-api
  • camel-knative-http
  • camel-kserve
  • camel-kubernetes
  • camel-kudu
  • camel-langchain4j-agent
  • camel-langchain4j-chat
  • camel-langchain4j-core
  • camel-langchain4j-embeddings
  • camel-langchain4j-embeddingstore
  • camel-langchain4j-tokenizer
  • camel-langchain4j-tools
  • camel-langchain4j-web-search
  • camel-launcher-container
  • camel-ldap
  • camel-ldif
  • camel-leveldb
  • camel-lra
  • camel-lucene
  • camel-lumberjack
  • camel-lzf
  • camel-mail
  • camel-mail-microsoft-oauth
  • camel-main
  • camel-management
  • camel-mapstruct
  • camel-master
  • camel-maven-plugin
  • camel-mdc
  • camel-metrics
  • camel-micrometer
  • camel-micrometer-observability
  • camel-micrometer-prometheus
  • camel-microprofile-config
  • camel-microprofile-fault-tolerance
  • camel-microprofile-health
  • camel-milo
  • camel-milvus
  • camel-mina
  • camel-mina-sftp
  • camel-minio
  • camel-mllp
  • camel-mongodb
  • camel-mongodb-gridfs
  • camel-mustache
  • camel-mvel
  • camel-mybatis
  • camel-nats
  • camel-neo4j
  • camel-netty
  • camel-netty-http
  • camel-oaipmh
  • camel-oauth
  • camel-observability-services
  • camel-observation
  • camel-ocsf
  • camel-ognl
  • camel-olingo2
  • camel-olingo2-api
  • camel-olingo4
  • camel-olingo4-api
  • camel-once
  • camel-openai
  • camel-openapi-java
  • camel-openapi-validator
  • camel-opensearch
  • camel-openstack
  • camel-opentelemetry
  • camel-opentelemetry-metrics
  • camel-opentelemetry2
  • camel-optaplanner
  • camel-paho
  • camel-paho-mqtt5
  • camel-parquet-avro
  • camel-pdf
  • camel-pg-replication-slot
  • camel-pgevent
  • camel-pgvector
  • camel-pinecone
  • camel-platform-http
  • camel-platform-http-jolokia
  • camel-platform-http-main
  • camel-platform-http-vertx
  • camel-plc4x
  • camel-pqc
  • camel-printer
  • camel-protobuf
  • camel-pubnub
  • camel-pulsar
  • camel-python
  • camel-qdrant
  • camel-quartz
  • camel-quickfix
  • camel-reactive-executor-tomcat
  • camel-reactive-executor-vertx
  • camel-reactive-streams
  • camel-reactor
  • camel-redis
  • camel-resilience4j
  • camel-resilience4j-micrometer
  • camel-resourceresolver-github
  • camel-rest-openapi
  • camel-restdsl-openapi-plugin
  • camel-robotframework
  • camel-rocketmq
  • camel-rss
  • camel-rxjava
  • camel-salesforce
  • camel-salesforce-codegen
  • camel-salesforce-maven-plugin
  • camel-sap-netweaver
  • camel-saxon
  • camel-schematron
  • camel-servicenow
  • camel-servicenow-maven-plugin
  • camel-servlet
  • camel-shell
  • camel-shiro
  • camel-sjms
  • camel-sjms2
  • camel-slack
  • camel-smb
  • camel-smooks
  • camel-smpp
  • camel-snakeyaml
  • camel-snmp
  • camel-soap
  • camel-solr
  • camel-splunk
  • camel-splunk-hec
  • camel-spring
  • camel-spring-ai-chat
  • camel-spring-ai-embeddings
  • camel-spring-ai-image
  • camel-spring-ai-tools
  • camel-spring-ai-vector-store
  • camel-spring-batch
  • camel-spring-cloud-config
  • camel-spring-jdbc
  • camel-spring-ldap
  • camel-spring-main
  • camel-spring-rabbitmq
  • camel-spring-redis
  • camel-spring-security
  • camel-spring-ws
  • camel-spring-xml
  • camel-sql
  • camel-ssh
  • camel-stax
  • camel-stitch
  • camel-stream
  • camel-streamcaching-test
  • camel-stringtemplate
  • camel-stripe
  • camel-swift
  • camel-syslog
  • camel-tahu
  • camel-tarfile
  • camel-telegram
  • camel-telemetry
  • camel-telemetry-dev
  • camel-tensorflow-serving
  • camel-test-infra-all
  • camel-test-infra-artemis
  • camel-test-infra-core
  • camel-test-infra-smb
  • camel-test-junit5
  • camel-test-junit6
  • camel-test-main-junit5
  • camel-test-main-junit6
  • camel-test-spring-junit5
  • camel-test-spring-junit6
  • camel-threadpoolfactory-vertx
  • camel-thrift
  • camel-thymeleaf
  • camel-tika
  • camel-tracing
  • camel-twilio
  • camel-twitter
  • camel-undertow
  • camel-undertow-spring-security
  • camel-univocity-parsers
  • camel-velocity
  • camel-vertx
  • camel-vertx-http
  • camel-vertx-websocket
  • camel-wasm
  • camel-weather
  • camel-weaviate
  • camel-web3j
  • camel-webhook
  • camel-whatsapp
  • camel-wordpress
  • camel-workday
  • camel-xchange
  • camel-xj
  • camel-xml-io-dsl
  • camel-xml-jaxb-dsl
  • camel-xml-jaxb-dsl-test-definition
  • camel-xml-jaxb-dsl-test-spring
  • camel-xmlsecurity
  • camel-xmpp
  • camel-xslt-saxon
  • camel-yaml-dsl-validator
  • camel-yaml-dsl-validator-maven-plugin
  • camel-zeebe
  • camel-zendesk
  • camel-zip-deflater
  • camel-zipfile
  • camel-zookeeper
  • camel-zookeeper-master
Modules with tests skipped (29)
  • apache-camel
  • camel-allcomponents
  • camel-catalog
  • camel-catalog-console
  • camel-catalog-lucene
  • camel-catalog-maven
  • camel-catalog-suggest
  • camel-componentdsl
  • camel-csimple-maven-plugin
  • camel-endpointdsl
  • camel-endpointdsl-support
  • camel-itest
  • camel-jbang-core
  • camel-jbang-it
  • camel-jbang-main
  • camel-jbang-plugin-edit
  • camel-jbang-plugin-generate
  • camel-jbang-plugin-kubernetes
  • camel-jbang-plugin-test
  • camel-kamelet-main
  • camel-launcher
  • camel-report-maven-plugin
  • camel-route-parser
  • camel-yaml-dsl
  • camel-yaml-dsl-deserializers
  • camel-yaml-dsl-maven-plugin
  • coverage
  • docs
  • dummy-component

ℹ️ Shadow mode — Scalpel observes but does not affect test execution. Learn more

Build reactor — dependencies compiled but only changed modules were tested (500 modules)
  • Camel :: AI :: A2A
  • Camel :: AI :: ChatScript
  • Camel :: AI :: Deep Java Library
  • Camel :: AI :: Docling
  • Camel :: AI :: Hugging Face
  • Camel :: AI :: KServe
  • Camel :: AI :: LangChain4j :: Agent
  • Camel :: AI :: LangChain4j :: Chat
  • Camel :: AI :: LangChain4j :: Core
  • Camel :: AI :: LangChain4j :: Embedding
  • Camel :: AI :: LangChain4j :: EmbeddingStore
  • Camel :: AI :: LangChain4j :: Tokenizer
  • Camel :: AI :: LangChain4j :: Tools
  • Camel :: AI :: LangChain4j :: Web Search
  • Camel :: AI :: Milvus
  • Camel :: AI :: Neo4j
  • Camel :: AI :: OpenAI
  • Camel :: AI :: PGVector
  • Camel :: AI :: Pinecone
  • Camel :: AI :: Qdrant
  • Camel :: AI :: TensorFlow Serving
  • Camel :: AI :: Weaviate
  • Camel :: AMQP
  • Camel :: AS2 :: API
  • Camel :: AS2 :: Component
  • Camel :: ASN.1
  • Camel :: AWS CloudTrail
  • Camel :: AWS Config
  • Camel :: AWS Redshift Data
  • Camel :: AWS Rekognition
  • Camel :: AWS Security Hub
  • Camel :: AWS Step Functions
  • Camel :: AWS Timestream
  • Camel :: AWS2 :: Transcribe
  • Camel :: AWS2 Athena
  • Camel :: AWS2 Bedrock
  • Camel :: AWS2 CW
  • Camel :: AWS2 Comprehend
  • Camel :: AWS2 DDB
  • Camel :: AWS2 EC2
  • Camel :: AWS2 ECS
  • Camel :: AWS2 EKS
  • Camel :: AWS2 Eventbridge
  • Camel :: AWS2 IAM
  • Camel :: AWS2 KMS
  • Camel :: AWS2 Kinesis
  • Camel :: AWS2 Lambda
  • Camel :: AWS2 MQ
  • Camel :: AWS2 MSK
  • Camel :: AWS2 Parameter Store
  • Camel :: AWS2 Polly
  • Camel :: AWS2 S3
  • Camel :: AWS2 S3 Vectors
  • Camel :: AWS2 SES
  • Camel :: AWS2 SNS
  • Camel :: AWS2 SQS
  • Camel :: AWS2 STS
  • Camel :: AWS2 Secrets Manager
  • Camel :: AWS2 Textract
  • Camel :: AWS2 Translate
  • Camel :: ActiveMQ 5.x
  • Camel :: ActiveMQ 6.x
  • Camel :: All Components Sync point
  • Camel :: All Core Sync point
  • Camel :: ArangoDB
  • Camel :: Archetypes
  • Camel :: Archetypes :: API Component
  • Camel :: Archetypes :: Component
  • Camel :: Archetypes :: Data Format
  • Camel :: Archetypes :: Java Router
  • Camel :: Archetypes :: Main
  • Camel :: Archetypes :: Spring XML Based Router (deprecated)
  • Camel :: Assembly
  • Camel :: Asterisk
  • Camel :: Atmosphere WebSocket Servlet
  • Camel :: Atom
  • Camel :: Attachments
  • Camel :: Avro
  • Camel :: Avro RPC
  • Camel :: Azure :: CosmosDB
  • Camel :: Azure :: Event Grid
  • Camel :: Azure :: Event Hubs
  • Camel :: Azure :: Files
  • Camel :: Azure :: Functions
  • Camel :: Azure :: Key Vault
  • Camel :: Azure :: Schema Registry
  • Camel :: Azure :: ServiceBus
  • Camel :: Azure :: Storage Blob
  • Camel :: Azure :: Storage Datalake
  • Camel :: Azure :: Storage Queue
  • Camel :: Barcode
  • Camel :: Base64
  • Camel :: Bean validator
  • Camel :: BeanIO
  • Camel :: Bindy
  • Camel :: Bonita
  • Camel :: Box :: Component
  • Camel :: Braintree
  • Camel :: CBOR
  • Camel :: CM SMS
  • Camel :: CSV
  • Camel :: CXF :: Common
  • Camel :: CXF :: Common :: Spring
  • Camel :: CXF :: REST
  • Camel :: CXF :: REST :: Spring
  • Camel :: CXF :: SOAP
  • Camel :: CXF :: SOAP :: Spring
  • Camel :: CXF :: Transport
  • Camel :: CXF :: Transport :: Spring
  • Camel :: Caffeine
  • Camel :: Camunda
  • Camel :: Cassandra CQL
  • Camel :: Catalog :: CSimple Maven Plugin (deprecated)
  • Camel :: Catalog :: Camel Catalog
  • Camel :: Catalog :: Camel Report Maven Plugin
  • Camel :: Catalog :: Camel Route Parser
  • Camel :: Catalog :: Console
  • Camel :: Catalog :: Dummy Component
  • Camel :: Catalog :: Lucene (deprecated)
  • Camel :: Catalog :: Maven
  • Camel :: Catalog :: Suggest
  • Camel :: Chunk
  • Camel :: ClickUp
  • Camel :: CloudEvents
  • Camel :: CoAP
  • Camel :: Cometd
  • Camel :: Common Telemetry
  • Camel :: Common Tracing (deprecated)
  • Camel :: Component DSL
  • Camel :: Console
  • Camel :: Consul
  • Camel :: Core
  • Camel :: CouchDB
  • Camel :: Couchbase
  • Camel :: Coverage
  • Camel :: Cron
  • Camel :: Crypto
  • Camel :: Crypto PGP
  • Camel :: CyberArk Vault
  • Camel :: DFDL
  • Camel :: DHIS2
  • Camel :: DHIS2 :: Parent
  • Camel :: DHIS2 API
  • Camel :: DNS
  • Camel :: DSL :: CLI Connector
  • Camel :: DSL :: CLI Debug
  • Camel :: DSL :: Modeline
  • Camel :: Dapr
  • Camel :: DataSonnet
  • Camel :: Debezium :: Common
  • Camel :: Debezium :: DB2
  • Camel :: Debezium :: Maven Plugin
  • Camel :: Debezium :: MongoDB
  • Camel :: Debezium :: MySQL
  • Camel :: Debezium :: Oracle
  • Camel :: Debezium :: PostgreSQL
  • Camel :: Debezium :: SQL Server
  • Camel :: Debugging
  • Camel :: Diagram
  • Camel :: DigitalOcean (deprecated)
  • Camel :: Disruptor
  • Camel :: Docker
  • Camel :: Docs
  • Camel :: Drill
  • Camel :: Dropbox
  • Camel :: Dynamic Router
  • Camel :: Ehcache
  • Camel :: ElasticSearch Rest Client
  • Camel :: Elasticsearch Java API Client
  • Camel :: Endpoint DSL
  • Camel :: Endpoint DSL :: Support
  • Camel :: Event
  • Camel :: Exec
  • Camel :: FHIR
  • Camel :: FOP
  • Camel :: FTP
  • Camel :: FTP Common
  • Camel :: Fastjson
  • Camel :: File
  • Camel :: File Watch
  • Camel :: FlatPack
  • Camel :: Flink
  • Camel :: Flowable
  • Camel :: Fory
  • Camel :: Freemarker
  • Camel :: Geocoder
  • Camel :: Git
  • Camel :: GitHub2
  • Camel :: Google :: BigQuery
  • Camel :: Google :: Calendar
  • Camel :: Google :: Common
  • Camel :: Google :: Drive
  • Camel :: Google :: Firestore
  • Camel :: Google :: Functions
  • Camel :: Google :: Mail
  • Camel :: Google :: PubSub
  • Camel :: Google :: Secret Manager
  • Camel :: Google :: Sheets
  • Camel :: Google :: Speech To Text
  • Camel :: Google :: Storage
  • Camel :: Google :: Text To Speech
  • Camel :: Google :: Vertex AI
  • Camel :: Google :: Vision
  • Camel :: GraphQL
  • Camel :: Grok
  • Camel :: Groovy
  • Camel :: Gson
  • Camel :: HL7
  • Camel :: HTTP
  • Camel :: HTTP :: Base
  • Camel :: HTTP :: Common
  • Camel :: HashiCorp :: Key Vault
  • Camel :: HazelCast
  • Camel :: Headers Map (deprecated)
  • Camel :: Huawei Cloud :: DMS
  • Camel :: Huawei Cloud :: FaceRecognition
  • Camel :: Huawei Cloud :: FunctionGraph
  • Camel :: Huawei Cloud :: IAM
  • Camel :: Huawei Cloud :: ImageRecognition
  • Camel :: Huawei Cloud :: OBS
  • Camel :: Huawei Cloud :: SimpleNotification
  • Camel :: IBM :: Cloud Object Storage
  • Camel :: IBM :: Secrets Manager
  • Camel :: IBM :: Watson Discovery
  • Camel :: IBM :: Watson Language
  • Camel :: IBM :: Watson Speech to Text
  • Camel :: IBM :: Watson Text to Speech
  • Camel :: IBM :: watsonx.ai
  • Camel :: IBM :: watsonx.data
  • Camel :: IEC 60870 (deprecated)
  • Camel :: IRC (deprecated)
  • Camel :: ISO-8583
  • Camel :: Iggy
  • Camel :: Ignite
  • Camel :: Infinispan :: Common
  • Camel :: Infinispan :: Embedded
  • Camel :: Infinispan :: Remote
  • Camel :: InfluxDB
  • Camel :: InfluxDB2
  • Camel :: Integration Tests
  • Camel :: Integration Tests :: Stream Caching Tests
  • Camel :: IronMQ
  • Camel :: JAXB
  • Camel :: JBang :: Console
  • Camel :: JBang :: Core
  • Camel :: JBang :: Integration tests
  • Camel :: JBang :: MCP
  • Camel :: JBang :: Main
  • Camel :: JBang :: Plugin :: Edit
  • Camel :: JBang :: Plugin :: Generate
  • Camel :: JBang :: Plugin :: Kubernetes
  • Camel :: JBang :: Plugin :: MCP
  • Camel :: JBang :: Plugin :: Route Parser
  • Camel :: JBang :: Plugin :: TUI
  • Camel :: JBang :: Plugin :: Testing
  • Camel :: JBang :: Plugin :: Validate
  • Camel :: JCR
  • Camel :: JCache
  • Camel :: JDBC
  • Camel :: JGroups
  • Camel :: JGroups Raft
  • Camel :: JIRA
  • Camel :: JMS
  • Camel :: JMX
  • Camel :: JOOQ
  • Camel :: JPA
  • Camel :: JQ
  • Camel :: JSON validator
  • Camel :: JSON-B
  • Camel :: JSONATA
  • Camel :: JSon Path
  • Camel :: JSonApi
  • Camel :: JSoup
  • Camel :: JTA
  • Camel :: Jackson
  • Camel :: Jackson 3
  • Camel :: Jackson 3 Avro
  • Camel :: Jackson 3 Protobuf
  • Camel :: Jackson 3 XML
  • Camel :: Jackson Avro
  • Camel :: Jackson Protobuf
  • Camel :: Jackson XML
  • Camel :: Jandex
  • Camel :: Jasypt
  • Camel :: Java DSL with jOOR
  • Camel :: Java Flight Recorder
  • Camel :: Java Template Engine
  • Camel :: Java Toolbox for IBM i
  • Camel :: JavaScript
  • Camel :: Jetty
  • Camel :: Jetty :: Common
  • Camel :: Jolt
  • Camel :: Jsch
  • Camel :: Jslt
  • Camel :: JsonPatch (deprecated)
  • Camel :: Kafka
  • Camel :: Kamelet
  • Camel :: Kamelet Main
  • Camel :: Kamelet Main :: Support
  • Camel :: Keycloak
  • Camel :: Knative API
  • Camel :: Knative Component
  • Camel :: Knative HTTP
  • Camel :: Kubernetes
  • Camel :: Kudu
  • Camel :: LDAP
  • Camel :: LDIF
  • Camel :: LZF
  • Camel :: Launcher
  • Camel :: Launcher :: Container
  • Camel :: LevelDB (deprecated)
  • Camel :: Long-Running-Action
  • Camel :: Lucene
  • Camel :: Lumberjack
  • Camel :: MDC
  • Camel :: MINA
  • Camel :: MINA SFTP
  • Camel :: MLLP
  • Camel :: MVEL
  • Camel :: Mail
  • Camel :: Mail :: Microsoft OAuth
  • Camel :: Main
  • Camel :: Management
  • Camel :: MapStruct
  • Camel :: Master
  • Camel :: Maven Plugins :: Camel API Component Plugin
  • Camel :: Maven Plugins :: Camel Maven Plugin
  • Camel :: Maven Plugins :: OpenApi REST DSL Generator
  • Camel :: Metrics
  • Camel :: MicroProfile :: Config
  • Camel :: MicroProfile :: Fault Tolerance
  • Camel :: MicroProfile :: Health
  • Camel :: Micrometer
  • Camel :: Micrometer :: Observability 2
  • Camel :: Micrometer :: Observation (deprecated)
  • Camel :: Micrometer :: Prometheus
  • Camel :: Milo
  • Camel :: MinIO
  • Camel :: MongoDB
  • Camel :: MongoDB GridFS
  • Camel :: Mustache
  • Camel :: MyBatis
  • Camel :: Nats
  • Camel :: Netty
  • Camel :: Netty HTTP
  • Camel :: OAIPMH
  • Camel :: OAuth
  • Camel :: OCSF
  • Camel :: OGNL (deprecated)
  • Camel :: Observability Services
  • Camel :: Olingo2 (Deprecated) :: API
  • Camel :: Olingo2 (Deprecated) :: Component
  • Camel :: Olingo4 (Deprecated) :: API
  • Camel :: Olingo4 (Deprecated) :: Component
  • Camel :: Once
  • Camel :: OpenAPI :: Validator
  • Camel :: OpenApi Java
  • Camel :: OpenSearch Java API Client
  • Camel :: OpenStack
  • Camel :: OpenTelemetry (deprecated)
  • Camel :: Opentelemetry 2
  • Camel :: Opentelemetry Metrics
  • Camel :: OptaPlanner
  • Camel :: PDF
  • Camel :: PLC4X
  • Camel :: PQC
  • Camel :: Paho (deprecated)
  • Camel :: Paho MQTT 5
  • Camel :: Parquet Avro
  • Camel :: PgEvent
  • Camel :: PgReplicationSlot
  • Camel :: Platform HTTP
  • Camel :: Platform HTTP :: Jolokia
  • Camel :: Platform HTTP :: Main
  • Camel :: Platform HTTP :: Vert.x
  • Camel :: Printer
  • Camel :: Protobuf
  • Camel :: PubNub
  • Camel :: Pulsar
  • Camel :: Python
  • Camel :: Quartz
  • Camel :: QuickFIX/J
  • Camel :: REST OpenApi
  • Camel :: RSS
  • Camel :: Reactive Executor :: Tomcat
  • Camel :: Reactive Executor :: Vert.x (deprecated)
  • Camel :: Reactive Streams
  • Camel :: Reactor
  • Camel :: Redis
  • Camel :: Resilience4j
  • Camel :: Resilience4j :: Micrometer
  • Camel :: ResourceResolver GitHub
  • Camel :: RobotFramework
  • Camel :: RocketMQ
  • Camel :: RxJava
  • Camel :: SAP NetWeaver
  • Camel :: SMB
  • Camel :: SMPP
  • Camel :: SNMP
  • Camel :: SOAP
  • Camel :: SQL
  • Camel :: SSH
  • Camel :: SWIFT
  • Camel :: Salesforce
  • Camel :: Salesforce :: CodeGen
  • Camel :: Salesforce :: Maven Plugin
  • Camel :: Saxon
  • Camel :: Schematron
  • Camel :: ServiceNow :: Component
  • Camel :: ServiceNow :: Maven Plugin
  • Camel :: Servlet
  • Camel :: Shell
  • Camel :: Shiro
  • Camel :: Simple JMS
  • Camel :: Simple JMS2
  • Camel :: Slack
  • Camel :: Smooks :: Parent
  • Camel :: SnakeYAML
  • Camel :: Solr
  • Camel :: Splunk (deprecated)
  • Camel :: Splunk HEC
  • Camel :: Spring
  • Camel :: Spring AI :: Chat
  • Camel :: Spring AI :: Embeddings
  • Camel :: Spring AI :: Image
  • Camel :: Spring AI :: Tools
  • Camel :: Spring AI :: Vector Store
  • Camel :: Spring Batch
  • Camel :: Spring Cloud Config
  • Camel :: Spring JDBC
  • Camel :: Spring LDAP
  • Camel :: Spring Main
  • Camel :: Spring RabbitMQ
  • Camel :: Spring Redis
  • Camel :: Spring Security
  • Camel :: Spring Web Services
  • Camel :: Spring XML
  • Camel :: StAX
  • Camel :: Stitch
  • Camel :: Stream
  • Camel :: StringTemplate
  • Camel :: Stripe
  • Camel :: Syslog
  • Camel :: Tahu
  • Camel :: Tar File
  • Camel :: Telegram
  • Camel :: Telemetry :: Dev
  • Camel :: Test :: JUnit5
  • Camel :: Test :: JUnit6
  • Camel :: Test :: Main :: JUnit5
  • Camel :: Test :: Main :: JUnit6
  • Camel :: Test :: Spring :: JUnit5
  • Camel :: Test Infra :: All test services
  • Camel :: Test Infra :: Artemis
  • Camel :: Test Infra :: Core
  • Camel :: Test Infra :: Server Message Block
  • Camel :: Thread Pool Factory :: Vert.x (deprecated)
  • Camel :: Thrift
  • Camel :: Thymeleaf
  • Camel :: Tika
  • Camel :: Twilio
  • Camel :: Twitter
  • Camel :: Undertow
  • Camel :: Undertow Spring Security
  • Camel :: UniVocity Parsers
  • Camel :: Velocity
  • Camel :: Vert.x :: HTTP
  • Camel :: Vert.x :: WebSocket
  • Camel :: Vertx
  • Camel :: Wasm
  • Camel :: Weather
  • Camel :: Web3j
  • Camel :: Webhook
  • Camel :: Whatsapp
  • Camel :: Wordpress
  • Camel :: Workday
  • Camel :: XChange
  • Camel :: XJ
  • Camel :: XML DSL Jaxb :: Test :: Definition
  • Camel :: XML DSL Jaxb :: Test :: Spring
  • Camel :: XML DSL with camel-xml-io
  • Camel :: XML DSL with camel-xml-jaxb
  • Camel :: XML Security
  • Camel :: XMPP
  • Camel :: XSLT Saxon
  • Camel :: YAML DSL
  • Camel :: YAML DSL :: Deserializers
  • Camel :: YAML DSL :: Maven Plugins
  • Camel :: YAML DSL :: Validator
  • Camel :: YAML DSL :: Validator Maven Plugin
  • Camel :: Zeebe (deprecated)
  • Camel :: Zendesk
  • Camel :: Zip Deflater
  • Camel :: Zip File
  • Camel :: Zookeeper
  • Camel :: Zookeeper Master
  • Camel :: csimple jOOR (deprecated)
  • Camel :: gRPC
  • Camel :: iCal
  • Camel :: jOOR

⚙️ View full build and test results

…ory containment checks path-boundary aware

The localWorkDirectory containment check (GenericFileHelper.jailToLocalWorkDirectory,
added in CAMEL-23765) and the starting-directory check (GenericFileProducer.jailedCheck)
both used a bare String.startsWith prefix test, which ignores path-segment boundaries.
When the compacted directory has no trailing separator (as jailToLocalWorkDirectory
produces via File.getPath), a sibling directory whose name merely extends the work
directory's name (for example .../localwork versus .../localworkEVIL) passed the check.

Introduce a shared, boundary-aware GenericFileHelper.isWithinDirectory and route both
checks through it so they cannot diverge. It tolerates a trailing separator (the producer
supplies one) and treats an empty directory as no boundary, preserving existing behaviour.

Add GenericFileHelperTest coverage for a name-prefixed sibling and for the shared helper's
boundary, trailing-separator and empty-directory cases.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants