[SECURITY] Fix Partial Path Traversal Vulnerability

docs/modules/site-integration/pages/compatibility-matrix.adoc

@@ -8,6 +8,11 @@ Release candidate releases are not accounted.
 |===
 |Asciidoctor Maven Plugin | Maven Site Plugin | Supported
 
+// TODO uncomment on release
+//|v3.0.x
+//|v3.1x.x ~ v4.x.x
+//|Yes
+
 |v2.2.2
 |v3.1x.x
 |Yes

pom.xml

@@ -76,7 +76,7 @@
         <plexus.utils.version>3.0.23</plexus.utils.version>
         <plexus.component.metadata.version>1.7</plexus.component.metadata.version>
         <netty.version>4.1.77.Final</netty.version>
-        <doxia.version>1.11.1</doxia.version>
+        <doxia.version>2.0.0-M2</doxia.version>
     </properties>
 
     <dependencyManagement>

src/it/maven-site-plugin/pom.xml

@@ -22,14 +22,14 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-project-info-reports-plugin</artifactId>
-                <version>3.1.2</version>
+                <version>3.3.0</version>
             </plugin>
             <!-- tag::plugin-decl[] -->
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-site-plugin</artifactId>
                 <!-- v2.2.2 of the plugin require Maven Site Plugin 3.1x.0 alongside Doxia 1.11.1 -->
-                <version>3.12.0</version>
+                <version>4.0.0-M1</version>
                 <configuration>
                     <asciidoc>
                         <baseDir>${project.basedir}/src/site/asciidoc</baseDir>

src/it/maven-site-plugin/src/site/site.xml

@@ -1,8 +1,8 @@
 <project name="Maven Site Plugin IT">
     <body>
+        <menu ref="reports"/>
         <menu name="AsciiDoc Pages">
             <item name="File with TOC" href="/file-with-toc.html"/>
         </menu>
-      ${reports}
     </body>
 </project>

src/main/java/org/asciidoctor/maven/log/LogRecordFormatter.java

@@ -53,7 +53,7 @@ private static String calculateFileRelativePath(Cursor cursor, File sourceDirect
                 final String sourceFile = new File(cursor.getFile()).getCanonicalPath();
                 final String sourceDir = sourceDirectory.getCanonicalPath();
 
-                if (sourceFile.startsWith(sourceDir)) {
+                if (new File(cursor.getFile()).getCanonicalFile().toPath().startsWith(sourceDir)) {
                     return sourceFile.substring(sourceDirectory.getCanonicalPath().length() + 1);
                 }
             }

src/main/java/org/asciidoctor/maven/refresh/ResourceCopyFileAlterationListenerAdaptor.java

@@ -120,8 +120,7 @@ private boolean containsRecursiveIncludes(Resource resource) {
 
     private boolean isSubDirectory(File parent, File file) {
         try {
-            return file.getParentFile().getCanonicalPath()
-                    .startsWith(parent.getCanonicalPath());
+            return file.getParentFile().getCanonicalFile().toPath().startsWith(parent.getCanonicalFile().toPath());
         } catch (IOException e) {
             return false;
         }

src/main/java/org/asciidoctor/maven/site/AsciidoctorDoxiaParser.java

@@ -13,13 +13,14 @@
 import org.codehaus.plexus.component.annotations.Component;
 import org.codehaus.plexus.util.IOUtil;
 import org.codehaus.plexus.util.xml.Xpp3Dom;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import javax.inject.Inject;
 import javax.inject.Provider;
 import java.io.File;
 import java.io.IOException;
 import java.io.Reader;
-import java.util.logging.Logger;
 
 /**
  * This class is used by <a href="https://maven.apache.org/doxia/overview.html">the Doxia framework</a>
@@ -33,6 +34,8 @@
 @Component(role = Parser.class, hint = AsciidoctorDoxiaParser.ROLE_HINT)
 public class AsciidoctorDoxiaParser extends AbstractTextParser {
 
+    private Logger logger = LoggerFactory.getLogger(AsciidoctorDoxiaParser.class);
+
     @Inject
     protected Provider<MavenProject> mavenProjectProvider;
 
@@ -52,7 +55,7 @@ public void parse(Reader reader, Sink sink, String reference) throws ParseExcept
                 source = "";
             }
         } catch (IOException ex) {
-            getLog().error("Could not read AsciiDoc source: " + ex.getLocalizedMessage());
+            logger.error("Could not read AsciiDoc source: " + ex.getLocalizedMessage());
             return;
         }
 
@@ -79,7 +82,7 @@ public void parse(Reader reader, Sink sink, String reference) throws ParseExcept
         String asciidocHtml = convertAsciiDoc(asciidoctor, source, conversionConfig.getOptions());
         try {
             // process log messages according to mojo configuration
-            new LogRecordsProcessors(logHandler, siteDirectory, errorMessage -> getLog().error(errorMessage))
+            new LogRecordsProcessors(logHandler, siteDirectory, errorMessage -> logger.error(errorMessage))
                     .processLogRecords(memoryLogHandler);
         } catch (Exception exception) {
             throw new ParseException(exception.getMessage(), exception);
@@ -91,10 +94,10 @@ public void parse(Reader reader, Sink sink, String reference) throws ParseExcept
     private MemoryLogHandler asciidoctorLoggingSetup(Asciidoctor asciidoctor, LogHandler logHandler, File siteDirectory) {
 
         final MemoryLogHandler memoryLogHandler = new MemoryLogHandler(logHandler.getOutputToConsole(), siteDirectory,
-                logRecord -> getLog().info(LogRecordFormatter.format(logRecord, siteDirectory)));
+                logRecord -> logger.info(LogRecordFormatter.format(logRecord, siteDirectory)));
         asciidoctor.registerLogHandler(memoryLogHandler);
         // disable default console output of AsciidoctorJ
-        Logger.getLogger("asciidoctor").setUseParentHandlers(false);
+        java.util.logging.Logger.getLogger("asciidoctor").setUseParentHandlers(false);
         return memoryLogHandler;
     }
 
@@ -136,7 +139,7 @@ private void requireLibrary(Asciidoctor asciidoctor, String require) {
             try {
                 asciidoctor.requireLibrary(require);
             } catch (Exception ex) {
-                getLog().error(ex.getLocalizedMessage());
+                logger.error(ex.getLocalizedMessage());
             }
         }
     }

src/main/java/org/asciidoctor/maven/site/AsciidoctorDoxiaParserModule.java

@@ -30,6 +30,6 @@ public class AsciidoctorDoxiaParserModule extends AbstractParserModule {
      * Build a new instance of {@link AsciidoctorDoxiaParserModule}.
      */
     public AsciidoctorDoxiaParserModule() {
-        super(SOURCE_DIRECTORY, FILE_EXTENSION, AsciidoctorDoxiaParser.ROLE_HINT);
+        super(SOURCE_DIRECTORY, AsciidoctorDoxiaParser.ROLE_HINT, FILE_EXTENSION);
     }
 }