Merge pull request #591 from tw-mosip/injiweb-1429-add-test-cases

[INJIWEB-1429] validate the template path for path injection attacks before calling the resolved template file
mosip · Feb 12, 2025 · 220cf9a · 220cf9a
2 parents 8f36844 + b7b666c
commit 220cf9a
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/src/main/java/io/mosip/mimoto/util/Utilities.java b/src/main/java/io/mosip/mimoto/util/Utilities.java
@@ -27,6 +27,7 @@
 import java.net.URI;
 import java.nio.file.Files;
 import java.nio.file.Path;
+import java.nio.file.Paths;
 import java.util.ArrayList;
 import java.util.Base64;
 import java.util.List;
@@ -185,7 +186,14 @@ public String getTrustedVerifiersJsonValue() {
     public String getCredentialSupportedTemplateString(String issuerId, String credentialType) {
         String templateFileName = String.format("%s-%s-template.html", issuerId.toLowerCase(), credentialType.toLowerCase());
         if(activeProfile.equals("local")) {
-            Resource credentialTemplateResource = new ClassPathResource("templates/"+ templateFileName);
+            Path basePath = Paths.get("templates").toAbsolutePath().normalize();
+            Path resolvedPath = basePath.resolve(templateFileName).normalize();
+
+            if (!resolvedPath.startsWith(basePath)) {
+                throw new SecurityException("Attempted path traversal attack: " + resolvedPath);
+            }
+
+            Resource credentialTemplateResource = new ClassPathResource(resolvedPath.toString());
             try {
                 return Files.readString(credentialTemplateResource.getFile().toPath());
             } catch (IOException e) {