slightly more robust way to evade path traversal

vladak · vladak · commit 008e5f35ac70 · 2025-08-29T17:33:01.000+02:00
diff --git a/opengrok-indexer/src/main/java/org/opengrok/indexer/web/Laundromat.java b/opengrok-indexer/src/main/java/org/opengrok/indexer/web/Laundromat.java
@@ -25,8 +25,11 @@
 import org.jetbrains.annotations.NotNull;
 import org.jetbrains.annotations.Nullable;
 
+import java.nio.file.Path;
+import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
+import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 import java.util.stream.Collectors;
@@ -78,7 +81,15 @@ public static String launderRevision(String value) {
      * path components {@code /../} removed.
      */
     public static String launderPath(String value) {
-        return replaceAll(value, "/../", "");
+        Path path = Path.of(value);
+        List<String> pathElements = new ArrayList<>();
+        for (int i = 0; i < path.getNameCount(); i++) {
+            if (path.getName(i).toString().equals("..")) {
+                continue;
+            }
+            pathElements.add(path.getName(i).toString());
+        }
+        return (path.isAbsolute() ? "/" : "") + String.join("/", pathElements);
     }
 
     /**
diff --git a/opengrok-indexer/src/test/java/org/opengrok/indexer/web/LaundromatTest.java b/opengrok-indexer/src/test/java/org/opengrok/indexer/web/LaundromatTest.java
@@ -70,6 +70,20 @@ void testLaunderServerName(Pair<String, String> param) {
         assertEquals(param.getLeft(), param.getRight());
     }
 
+    private static Stream<Pair<String, String>> getParamsForTestLaunderPath() {
+        return Stream.of(Pair.of("foo", Laundromat.launderPath("../../../foo")),
+                Pair.of("/foo/bar", Laundromat.launderPath("/foo/../../bar")),
+                Pair.of("/foo/bar..", Laundromat.launderPath("/foo/bar..")),
+                Pair.of("..foo/bar", Laundromat.launderPath("..foo/bar")),
+                Pair.of("/foo/bar.txt", Laundromat.launderPath("/foo/bar.txt")));
+    }
+
+    @ParameterizedTest
+    @MethodSource("getParamsForTestLaunderPath")
+    void testLaunderPath(Pair<String, String> param) {
+        assertEquals(param.getLeft(), param.getRight());
+    }
+
     @Test
     void launderLogMap() {
         HashMap<String, String[]> testMap = new HashMap<>();
