Fix file system actor (v4.0 xD)

Author: J0B10

src/main/scala/org/codeoverflow/chatoverflow/connector/actor/FileSystemActor.scala

@@ -1,11 +1,12 @@
 package org.codeoverflow.chatoverflow.connector.actor
 
 import java.io.{File, PrintWriter}
-import java.nio.file.{Files, Paths}
+import java.nio.file.Files
 
 import akka.actor.Actor
 import org.codeoverflow.chatoverflow.connector.actor.FileSystemActor._
 
+import scala.annotation.tailrec
 import scala.io.Source
 
 /**
@@ -30,20 +31,20 @@ class FileSystemActor extends Actor {
   override def receive: Receive = {
     case LoadFile(pathInResources) =>
       try {
-        sender ! Some(Source.fromFile(new File(dataFolder, pathInResources)).mkString)
+        sender ! Some(Source.fromFile(s"$dataFilePath${fixPath(pathInResources)}").mkString)
       } catch {
         case _: Exception => None
       }
     case LoadBinaryFile(pathInResources) =>
       try {
-        sender ! Some(Files.readAllBytes(new File(dataFolder, pathInResources).toPath))
+        sender ! Some(Files.readAllBytes(fixPath(pathInResources).toPath))
       } catch {
         case e: Exception => e.printStackTrace()
           None
       }
     case SaveFile(pathInResources, content) =>
       try {
-        val writer = new PrintWriter(new File(dataFolder, pathInResources))
+        val writer = new PrintWriter(fixPath(pathInResources))
         writer.write(content)
         writer.close()
         sender ! true
@@ -52,18 +53,36 @@ class FileSystemActor extends Actor {
       }
     case SaveBinaryFile(pathInResources, content) =>
       try {
-        Files.write(new File(dataFolder, pathInResources).toPath, content)
+        Files.write(fixPath(pathInResources).toPath, content)
         sender ! true
       } catch {
         case _: Exception => sender ! false
       }
     case CreateDirectory(folderName) =>
       try {
-        sender !new File(dataFolder, folderName).mkdir()
+        sender ! fixPath(folderName).mkdir()
       } catch {
         case _: Exception => sender ! false
       }
   }
+
+  private def fixPath(path: String): File = {
+    val fixedPath = new File(dataFolder, path).getCanonicalFile
+    val dataCanonical = dataFolder.getCanonicalFile
+    @tailrec def insideDataFolder(path: File): Boolean = {
+      val parent = Option(path.getParentFile)
+      if (parent.isEmpty) {
+        false
+      } else if (parent.get.equals(dataCanonical)) {
+        true
+      } else {
+        insideDataFolder(parent.get)
+      }
+    }
+    if (!insideDataFolder(fixedPath))
+      throw new SecurityException(s"file access is restricted to resource folder (${dataFolder.getCanonicalPath})")
+    fixedPath
+  }
 }
 
 object FileSystemActor {