Skip to content

Commit

Permalink
🐛 Uncontrolled data used in path expression (alibaba#11822)
Browse files Browse the repository at this point in the history
  • Loading branch information
xuxiaowei-com-cn authored and cxhello committed Mar 20, 2024
1 parent 611d845 commit a0af95c
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 3 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -48,11 +48,11 @@ private StringUtils() {

private static final String[] EMPTY_STRING_ARRAY = {};

private static final String TOP_PATH = "..";
public static final String TOP_PATH = "..";

private static final String FOLDER_SEPARATOR = "/";
public static final String FOLDER_SEPARATOR = "/";

private static final String WINDOWS_FOLDER_SEPARATOR = "\\";
public static final String WINDOWS_FOLDER_SEPARATOR = "\\";

/**
* <p>Create a string with encoding format as utf8.</p>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,10 @@
import java.util.HashMap;
import java.util.Map;

import static com.alibaba.nacos.common.utils.StringUtils.FOLDER_SEPARATOR;
import static com.alibaba.nacos.common.utils.StringUtils.TOP_PATH;
import static com.alibaba.nacos.common.utils.StringUtils.WINDOWS_FOLDER_SEPARATOR;

/**
* Server state controller.
*
Expand Down Expand Up @@ -66,6 +70,9 @@ public ResponseEntity<Map<String, String>> serverState() {
public RestResult<String> getAnnouncement(
@RequestParam(required = false, name = "language", defaultValue = "zh-CN") String language) {
String file = ANNOUNCEMENT_FILE.substring(0, ANNOUNCEMENT_FILE.length() - 5) + "_" + language + ".conf";
if (file.contains(TOP_PATH) || file.contains(FOLDER_SEPARATOR) || file.contains(WINDOWS_FOLDER_SEPARATOR)) {
throw new IllegalArgumentException("Invalid filename");
}
File announcementFile = new File(EnvUtil.getConfPath(), file);
String announcement = null;
if (announcementFile.exists() && announcementFile.isFile()) {
Expand Down

0 comments on commit a0af95c

Please sign in to comment.