Description
In NativeProcessLauncher.java, the path traversal check uses path.contains("../") to detect directory traversal attempts. This check is insufficient because:
- It does not handle URL-encoded sequences (e.g.,
%2e%2e%2f)
- It does not resolve symlinks (a symlink could point outside the allowed directory)
- It does not handle Windows-style separators (
..\\) if the platform runs on Windows
- It does not canonicalize the path before checking
Location
platform-core/src/main/java/org/flossware/platform/core/NativeProcessLauncher.java
- Path validation uses simple string
contains("../") check
Impact
- An attacker could potentially escape the allowed directory by using symlinks or encoded paths
- Could execute arbitrary native binaries outside the designated directory
Suggested Fix
- Canonicalize the path using
Path.toRealPath() (which resolves symlinks)
- Verify the canonical path starts with the canonical allowed base directory
- Reject paths containing null bytes or other special characters
- Example:
Paths.get(inputPath).toRealPath().startsWith(allowedDir.toRealPath())
Labels
bug, security
Description
In
NativeProcessLauncher.java, the path traversal check usespath.contains("../")to detect directory traversal attempts. This check is insufficient because:%2e%2e%2f)..\\) if the platform runs on WindowsLocation
platform-core/src/main/java/org/flossware/platform/core/NativeProcessLauncher.javacontains("../")checkImpact
Suggested Fix
Path.toRealPath()(which resolves symlinks)Paths.get(inputPath).toRealPath().startsWith(allowedDir.toRealPath())Labels
bug, security