fix: avoid access to arbitrary resource via parent (#10356)

Checks whether the Url contains a directory change and a double encoding in Flow bundles resource handling servlet. Returns 403 Forbidden immediately and skip the request handling, if does.

Author: Denis

flow-server/src/main/java/com/vaadin/flow/server/HandlerHelper.java

@@ -195,7 +195,7 @@ public static String getCancelingRelativePath(String pathToCancel) {
      * @return {@code true}, if the given path has a directory change
      *         instruction, {@code false} otherwise.
      */
-    static boolean isPathUnsafe(String path) {
+    public static boolean isPathUnsafe(String path) {
         // Check that the path does not have '/../', '\..\', %5C..%5C,
         // %2F..%2F, nor '/..', '\..', %5C.., %2F..
         try {

flow-server/src/main/java/com/vaadin/flow/server/osgi/VaadinBundleTracker.java

@@ -49,6 +49,8 @@
 import org.osgi.util.tracker.BundleTracker;
 import org.slf4j.LoggerFactory;
 
+import com.vaadin.flow.server.HandlerHelper;
+
 /**
  * Bundle tracker to discover all classes in active bundles.
  * <p>
@@ -89,6 +91,10 @@ protected void doGet(HttpServletRequest req, HttpServletResponse resp)
                 resp.setStatus(HttpURLConnection.HTTP_NOT_FOUND);
                 return;
             }
+            if (HandlerHelper.isPathUnsafe(pathInfo)) {
+                resp.setStatus(HttpServletResponse.SC_FORBIDDEN);
+                return;
+            }
             URL resource = bundle.getResource(resourceDirPath + pathInfo);
             if (resource == null) {
                 resp.setStatus(HttpURLConnection.HTTP_NOT_FOUND);