CAMEL-23868: camel-file - make local work directory / starting directory containment checks path-boundary aware#24377
CAMEL-23868: camel-file - make local work directory / starting directory containment checks path-boundary aware#24377oscerd wants to merge 1 commit into
Conversation
|
🌟 Thank you for your contribution to the Apache Camel project! 🌟 🐫 Apache Camel Committers, please review the following items:
|
davsclaus
left a comment
There was a problem hiding this comment.
Reviewed against the project's contribution rules and conventions.
Correctness — the fix is sound:
- The new
isWithinDirectorycorrectly handles: exact match, child paths viastartsWith(dir + File.separator), trailing separators on the directory, and empty directory (no boundary). - Both call sites (
jailToLocalWorkDirectoryandjailedCheck) route through the same helper, eliminating the prior risk of the two checks drifting apart. FileUtil.compactPathnormalises separators before the comparison reachesisWithinDirectory, so mixed-separator edge cases are handled.
Tests — adequate:
- The new
isWithinDirectoryRespectsPathBoundariestest covers exact match, children, trailing separator tolerance, name-prefix sibling rejection, and empty directory — good boundary coverage. - The existing
shouldRejectFilesEscapingLocalWorkDirectorytest gets an additional assertion for thelocalworkEVILsibling scenario, locking the fix at the integration level.
Project conventions — all met:
- Commit message follows
CAMEL-23868: <description>format. - JIRA issue linked in PR body.
- AI attribution present.
- Single commit, focused scope, no unrelated changes.
Prior history — no conflicts:
jailToLocalWorkDirectorywas introduced in CAMEL-23765 by the same author. This PR is a direct continuation fixing a gap identified in that work.jailedCheckinGenericFileProducerwas incidentally safe because the producer always appends a trailing separator tobaseDir— but that's fragile. Routing through the shared helper is the right fix.
This review was generated by an AI agent and may contain inaccuracies. Please verify all suggestions before applying.
|
🧪 CI tested the following changed modules:
🔬 Scalpel shadow comparison — Scalpel: 472 tested, 29 compile-only — current: 472 all testedMaveniverse Scalpel detected 501 affected modules (current approach: 472).
|
…ory containment checks path-boundary aware The localWorkDirectory containment check (GenericFileHelper.jailToLocalWorkDirectory, added in CAMEL-23765) and the starting-directory check (GenericFileProducer.jailedCheck) both used a bare String.startsWith prefix test, which ignores path-segment boundaries. When the compacted directory has no trailing separator (as jailToLocalWorkDirectory produces via File.getPath), a sibling directory whose name merely extends the work directory's name (for example .../localwork versus .../localworkEVIL) passed the check. Introduce a shared, boundary-aware GenericFileHelper.isWithinDirectory and route both checks through it so they cannot diverge. It tolerates a trailing separator (the producer supplies one) and treats an empty directory as no boundary, preserving existing behaviour. Add GenericFileHelperTest coverage for a name-prefixed sibling and for the shared helper's boundary, trailing-separator and empty-directory cases. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
3ab6006 to
ce53bd2
Compare
What
GenericFileHelper.jailToLocalWorkDirectory(added in CAMEL-23765 to keep remote-filelocalWorkDirectorydownloads inside the configured work directory) andGenericFileProducer.jailedCheck(thejailStartingDirectoryproducer check) both decidedcontainment with a bare
String.startsWithprefix test.A bare prefix test ignores path-segment boundaries. When the compacted directory string has no
trailing separator — which is what
jailToLocalWorkDirectorygets fromFile.getPath()— asibling directory whose name merely extends the configured directory's name (for example
.../localworkvs.../localworkEVIL) also satisfies the prefix and is wrongly treated ascontained.
jailedCheckavoids this today only incidentally, because the producer always hands ita
baseDirthat carries a trailing separator.Change
GenericFileHelper.isWithinDirectory(compactTarget, compactDir)androute both containment checks through it, so the two can no longer drift apart.
equals, orstartsWith(dir + File.separator)),tolerates a trailing separator on the directory (the producer supplies one), and treats an empty
directory as "no boundary" — preserving the existing behaviour for all legitimate cases.
Tests
GenericFileHelperTest: a name-prefixed sibling (../localworkEVIL/...) is now rejected, and anew test locks the shared helper's boundary, trailing-separator and empty-directory behaviour.
Continues the containment work from CAMEL-23765.
Issue: https://issues.apache.org/jira/browse/CAMEL-23868
Claude Code on behalf of Andrea Cosentino
🤖 Generated with Claude Code