Control data used in path expression

gastaldi · May 22, 2024 · a3b6987 · a3b6987
1 parent 149db64
commit a3b6987
Showing 1 changed file with 9 additions and 4 deletions.
diff --git a/core/deployment/src/main/java/io/quarkus/deployment/dev/IsolatedRemoteDevModeMain.java b/core/deployment/src/main/java/io/quarkus/deployment/dev/IsolatedRemoteDevModeMain.java
@@ -253,14 +253,19 @@ private Closeable doConnect() {
                     @Override
                     public Map<String, byte[]> apply(Set<String> fileNames) {
                         Map<String, byte[]> ret = new HashMap<>();
-                        for (String i : fileNames) {
+                        for (String filename : fileNames) {
                             try {
-                                Path resolvedPath = appRoot.resolve(i);
+                                Path resolvedPath = appRoot.resolve(filename);
+                                // Ensure that path stays inside appRoot
+                                if (!resolvedPath.startsWith(appRoot)) {
+                                    log.errorf("Attempted to access %s outside of %s", resolvedPath, appRoot);
+                                    continue;
+                                }
                                 if (!Files.isDirectory(resolvedPath)) {
-                                    ret.put(i, Files.readAllBytes(resolvedPath));
+                                    ret.put(filename, Files.readAllBytes(resolvedPath));
                                 }
                             } catch (IOException e) {
-                                log.error("Failed to read file " + i, e);
+                                log.error("Failed to read file " + filename, e);
                             }
                         }
                         return ret;