Improve directory resource

genepi · Jun 30, 2022 · 97822a9 · 97822a9
1 parent 313bc25
commit 97822a9
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 1 deletion.
diff --git a/src/main/java/cloudgene/mapred/WebApp.java b/src/main/java/cloudgene/mapred/WebApp.java
@@ -1,14 +1,21 @@
 package cloudgene.mapred;
 
 import java.io.File;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.nio.file.Path;
+import java.nio.file.Paths;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
 import org.restlet.Application;
 import org.restlet.Restlet;
 import org.restlet.data.LocalReference;
+import org.restlet.data.Status;
+import org.restlet.engine.local.DirectoryServerResource;
 import org.restlet.resource.Directory;
+import org.restlet.resource.ResourceException;
 import org.restlet.routing.Redirector;
 import org.restlet.routing.Router;
 import org.restlet.routing.Template;
@@ -229,12 +236,14 @@ public synchronized Restlet createInboundRoot() {
 		setStatusService(new CustomStatusService());
 
 		Directory dir = new Directory(getContext(), webRoot2);
+		dir.setTargetClass(FixedDirectoryServerResource.class);
 		dir.setListingAllowed(false);
 
 		route = router.attach(prefix + "/static", dir);
 		route.setMatchingMode(Template.MODE_STARTS_WITH);
 
 		dir = new Directory(getContext(), webRoot);
+		dir.setTargetClass(FixedDirectoryServerResource.class);
 		dir.setListingAllowed(false);
 
 		route = router.attach(prefix + "/", dir);
@@ -304,5 +313,25 @@ public String getTemplate(String key, Object... strings) {
 		}
 
 	}
+
+	public static class FixedDirectoryServerResource extends DirectoryServerResource {
+
+		@Override
+		public void preventUpperDirectoryAccess() {
+
+			try {
+				URI targetUri = new URI(getTargetUri());
+				Path targetPath = Paths.get(targetUri).normalize();
+				URI baseUri = new URI(getDirectory().getRootRef().toString());
+				Path basePath = Paths.get(baseUri).normalize();
+				if (!targetPath.startsWith(basePath)) {
+					throw new ResourceException(Status.CLIENT_ERROR_FORBIDDEN);
+				}
+			} catch (URISyntaxException e) {
+				throw new ResourceException(e);
+			}
+		}
+
+	}
 
 }
diff --git a/src/main/java/cloudgene/mapred/representations/CustomStatusService.java b/src/main/java/cloudgene/mapred/representations/CustomStatusService.java
@@ -16,7 +16,7 @@ public Representation getRepresentation(Status status, Request request,
 		if (status.isClientError()) {
 
 			//setStatus(Status.CLIENT_ERROR_NOT_FOUND );
-			return new StringRepresentation("Oje!!");
+			return new StringRepresentation("Error");
 		} else {
 
 			// TODO Auto-generated method stub