mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
22 lines
874 B
Java
22 lines
874 B
Java
// Phase 13 path-traversal sanitized (Java). Canonicalises the path
|
|
// via `base.resolve(name).normalize()` and validates containment with
|
|
// `startsWith(base)`; the canonical value is returned as a string,
|
|
// never reaching a FILE_IO sink. Demonstrates the new `Path.normalize`
|
|
// Sanitizer(FILE_IO) recogniser registered in `src/labels/java.rs`.
|
|
package handlers;
|
|
|
|
import java.nio.file.Path;
|
|
import java.nio.file.Paths;
|
|
import javax.servlet.http.HttpServletRequest;
|
|
|
|
public class PathTraversalSafe {
|
|
public String safeHandle(HttpServletRequest req) throws Exception {
|
|
String name = req.getParameter("name");
|
|
Path base = Paths.get("/var/data");
|
|
Path candidate = base.resolve(name).normalize();
|
|
if (!candidate.startsWith(base)) {
|
|
throw new SecurityException("escape");
|
|
}
|
|
return candidate.toString();
|
|
}
|
|
}
|