Skip to content
Permalink
Browse files Browse the repository at this point in the history
[KEYCLOAK-19422] ClassLoaderTheme and ClasspathThemeResourceProviderF…
…actory allows reading any file available as a resource to the classloader
  • Loading branch information
douglaspalmer authored and stianst committed Oct 18, 2021
1 parent 7d0af85 commit 73f0474
Show file tree
Hide file tree
Showing 3 changed files with 37 additions and 3 deletions.
15 changes: 13 additions & 2 deletions services/src/main/java/org/keycloak/theme/ClassLoaderTheme.java
Expand Up @@ -105,8 +105,19 @@ public URL getTemplate(String name) {
}

@Override
public InputStream getResourceAsStream(String path) {
return classLoader.getResourceAsStream(resourceRoot + path);
public InputStream getResourceAsStream(String path) throws IOException {
final URL rootResourceURL = classLoader.getResource(resourceRoot);
if (rootResourceURL == null) {
return null;
}
final String rootPath = rootResourceURL.getPath();
final URL resourceURL = classLoader.getResource(resourceRoot + path);
if(resourceURL == null || !resourceURL.getPath().startsWith(rootPath)) {
return null;
}
else {
return resourceURL.openConnection().getInputStream();
}
}

@Override
Expand Down
Expand Up @@ -39,7 +39,18 @@ public URL getTemplate(String name) throws IOException {

@Override
public InputStream getResourceAsStream(String path) throws IOException {
return classLoader.getResourceAsStream(THEME_RESOURCES_RESOURCES + path);
final URL rootResourceURL = classLoader.getResource(THEME_RESOURCES_RESOURCES);
if (rootResourceURL == null) {
return null;
}
final String rootPath = rootResourceURL.getPath();
final URL resourceURL = classLoader.getResource(THEME_RESOURCES_RESOURCES + path);
if(resourceURL == null || !resourceURL.getPath().startsWith(rootPath)) {
return null;
}
else {
return resourceURL.openConnection().getInputStream();
}
}

@Override
Expand Down
Expand Up @@ -73,6 +73,18 @@ public void getMessages() {
});
}

@Test
public void getResourceIllegalTraversal() {
testingClient.server().run(session -> {
try {
Theme theme = session.theme().getTheme("base", Theme.Type.LOGIN);
Assert.assertNull(theme.getResourceAsStream("../templates/test.ftl"));
} catch (IOException e) {
Assert.fail(e.getMessage());
}
});
}

@Test
public void gzipEncoding() throws IOException {
final String resourcesVersion = testingClient.server().fetch(session -> Version.RESOURCES_VERSION, String.class);
Expand Down

0 comments on commit 73f0474

Please sign in to comment.