Now disallowing access to files/folders outside the provided config

tothenew · Feb 25, 2012 · 406a77f · 406a77f
1 parent aa88e87
commit 406a77f
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 4 deletions.
diff --git a/grails-app/controllers/org/grails/plugins/fileviewer/FileController.groovy b/grails-app/controllers/org/grails/plugins/fileviewer/FileController.groovy
@@ -13,7 +13,7 @@ class FileController {
         Map model = [locations: fileLocations.locations]
         if (params.filePath) {
             File file = new File(params.filePath)
-            if (file.exists()) {
+            if (fileLocations.isValidPath(params.filePath) && file.exists()) {
                 if (file.isFile()) {
                     List locations = getSubFiles(file.parentFile)
                     String fileContents = getFileContents(file)
@@ -26,6 +26,8 @@ class FileController {
                     model['prevLocation'] = file.getParentFile()?.absolutePath
                 }
                 model['showBackLink'] = true
+            } else {
+                model.errorMessage = message(code: 'default.path.invalid.message')
             }
         }
         render(view: "/file/fileList", model: model, plugin: 'fileViewer')

diff --git a/grails-app/i18n/message.properties b/grails-app/i18n/message.properties
@@ -1,4 +1,5 @@
 default.link.back.label=Back
 default.page.title.label=File List
 default.page.body.detail=Please click on the links below to view detailed reports:
-default.link.download.label=Download complete file
+default.link.download.label=Download complete file
+default.path.invalid.message=Path provide was either not found or was outside the config scope
diff --git a/grails-app/views/file/fileList.gsp b/grails-app/views/file/fileList.gsp
@@ -5,18 +5,20 @@
 	<title><g:message code="default.page.title.label" default="File List" /></title>
     <style type="text/css">
         * {margin: 0;padding: 0;}
-        body {font-size: 100.01%;font-family: Arial, sans-serif;color: #333;background: #f8f8f8;padding: 2em;}
+        body {font-size: 100.01%;font-family: Arial, sans-serif;color: #333;background: #f8f8f8;padding: 10px;}
         h1 {color: #363;font-size: 1.2em;margin: .5em 0;}
         p, pre, li {margin: 0 0 .5em 0;list-style: square;}
         ul {margin: 1em;}
         pre {background: #eee;border: 1px solid #999;padding: .5em;margin: .5em;font-size: .9em;}
         a {color: #369;font-size: .8em;}
+        div.error{background: #ff0000;margin: 10px;}
     </style>
 </head>
 <body>
 <br/><strong>
 	<g:message code="default.page.body.detail" default="Please click on the links below to view detailed reports:" />
 </strong><br/><br/>
+<g:if test="${errorMessage}"><div class="error">${errorMessage}</div></g:if>
 <g:if test="${showBackLink}">
 	<div id="backLink">
 		<a class="showReportLink" href="${createLink(action: 'index', params: [filePath: prevLocation])}">

diff --git a/src/groovy/org/grails/plugins/fileviewer/FileLocations.groovy b/src/groovy/org/grails/plugins/fileviewer/FileLocations.groovy
@@ -6,6 +6,17 @@ package org.grails.plugins.fileviewer
  */
 
 class FileLocations {
-	List<String> locations
+    List<String> locations
     Integer linesCount
+    Boolean areDoubleDotsAllowedInFilePath = false
+
+    boolean isValidPath(String filePath) {
+        boolean isValid = this.locations.any {filePath.startsWith(it)}
+        if(isValid && !areDoubleDotsAllowedInFilePath) {
+            isValid = !filePath.contains("..")
+        }
+        isValid
+    }
+
+
 }