Haripriya99j
commented
3 months ago Want to get your point of view for this code change. It's passing all test cases for system tests and integration tests. Once IAD is ready we can deploy this code into dev cluster and check whether it's good to proceed. Before that just want your POV for this.
Checkmarx scan after this code changes: https://checkmarx.rbxd.ds/CxWebClient/ViewerMain.aspx?scanId=1498504&ProjectID=3993
Jira tickets: https://cirium.atlassian.net/browse/HUB-1391
other related tickets resolved by this change: https://cirium.atlassian.net/browse/HUB-1387 https://cirium.atlassian.net/browse/HUB-1388 https://cirium.atlassian.net/browse/HUB-1389 https://cirium.atlassian.net/browse/HUB-1405 https://cirium.atlassian.net/browse/HUB-1408
Integration tests: https://ddt-jenkins.prod.flightstats.io/job/run-hub-integration-tests-against-cluster/110/console
System tests: https://ddt-jenkins.prod.flightstats.io/job/run-hub-system-tests/29/
Summary about canonical method used here: getCanonicalPath() is a built-in method in Java's File class. It returns the canonical (standardized) pathname string of the file object, which is an absolute path with all symbolic links, relative paths, and redundant path elements resolved.
Here's how it works:
Absolute Path: It converts the file path to an absolute path. Normalization: It removes any . (current directory) and .. (parent directory) references to simplify the path. Symbolic Links: It resolves any symbolic links in the path.
By using getCanonicalPath(), you can reliably determine the actual path on the filesystem that a File object refers to, making it a useful method for validating and sanitizing file paths to prevent path traversal attacks.
Added isSafePath(File file) method to verify if the resolved canonical path of the file starts with the base directory. This ensures that the path is within the intended directory and prevents path traversal attacks.