return retStr;
}
+ function removeDotsFromPath(str) {
+ if(str === undefined){
+ return str;
+ }
+
+ var _pathTokens = str.split('/');
+ var _correctDir = [];
+ var _fileRealPath = _pathTokens[0];
+ _correctDir.push(_pathTokens[0]);
+ for (var i = 1; i < _pathTokens.length; ++i) {
+ if(_pathTokens[i] == "..") {
+ if (_fileRealPath == '') {
+ _fileRealPath = undefined;
+ break;
+ }
+ var _lastDir = _correctDir.pop();
+ _fileRealPath = _fileRealPath.substring(0, _fileRealPath.length - _lastDir.length - 1);
+ } else if(_pathTokens[i] != "."){
+ _fileRealPath += '/' + _pathTokens[i];
+ _correctDir.push(_pathTokens[i]);
+ }
+ }
+ return _fileRealPath;
+ }
+
+ function checkPathWithoutDots(aPath) {
+ if (-1 !== aPath.indexOf('/../')) {
+ return false;
+ }
+ if (-1 !== aPath.indexOf('/./')) {
+ return false;
+ }
+ // check if path ends with '/.' or '/..'
+ if (aPath.match(/\/\.\.?$/)) {
+ return false;
+ }
+ // check if path starts with './' or '../'
+ if (aPath.match(/^\.\.?\//)) {
+ return false;
+ }
+ return true;
+ }
+
function toRealPath(aPath) {
var _fileRealPath = '';
} else {
_fileRealPath = aPath;
}
-
+ // this line makes that '.' and '..' is supported in paths, but each method handle those cases
+ // and return error (see commonFS_.checkPathWithoutDots() method)
+ _fileRealPath = removeDotsFromPath(_fileRealPath);
return _fileRealPath;
}
return {
clearCache: clearCache,
+ checkPathWithoutDots: checkPathWithoutDots,
toRealPath: toRealPath,
toVirtualPath: toVirtualPath,
getFileInfo: getFileInfo,
return;
}
+ // Validation against '.' and '..' directories used in path - not allowed
+ var resultSource = commonFS_.checkPathWithoutDots(args.originFilePath);
+ var resultDestination = commonFS_.checkPathWithoutDots(args.destinationFilePath);
+ if (!resultSource || !resultDestination) {
+ // path contains dots - it is not allowed - return InvalidValuesError
+ setTimeout(function() {
+ native_.callIfPossible(args.onerror,
+ new WebAPIException(WebAPIException.INVALID_VALUES_ERR,
+ 'Path contains \'.\' or \'..\' - it is not allowed.'));
+ }, 0);
+ return;
+ }
+
var _realOriginalPath = commonFS_.toRealPath(args.originFilePath);
var _realDestinationPath = commonFS_.toRealPath(args.destinationFilePath);
return;
}
+ // Validation against '.' and '..' directories used in path - not allowed
+ var resultSource = commonFS_.checkPathWithoutDots(args.originFilePath);
+ var resultDestination = commonFS_.checkPathWithoutDots(args.destinationFilePath);
+ if (!resultSource || !resultDestination) {
+ // path contains dots - it is not allowed - return InvalidValuesError
+ setTimeout(function() {
+ native_.callIfPossible(args.onerror,
+ new WebAPIException(WebAPIException.INVALID_VALUES_ERR,
+ 'Path contains \'.\' or \'..\' - it is not allowed.'));
+ }, 0);
+ return;
+ }
+
var _realOriginalPath = commonFS_.toRealPath(args.originFilePath);
var _realDestinationPath = commonFS_.toRealPath(args.destinationFilePath);
var _newPath = this.fullPath + '/' + args.dirPath,
_statObj,
- _fileInfo,
- _realNewPath = commonFS_.toRealPath(_newPath);
+ _fileInfo;
+
+ // Validation against '.' and '..' directories used in path - not allowed
+ var result = commonFS_.checkPathWithoutDots(_newPath);
+ if (!result) {
+ // path contains dots - it is not allowed - return InvalidValuesError
+ throw new WebAPIException(WebAPIException.INVALID_VALUES_ERR,
+ 'Path contains \'.\' or \'..\' - it is not allowed.');
+ }
+
+ var _realNewPath = commonFS_.toRealPath(_newPath);
if (!_realNewPath) {
throw new WebAPIException(WebAPIException.INVALID_VALUES_ERR, 'Path is not valid');
}
var _outputPath = this.fullPath + '/' + args.relativeFilePath;
+
+ // Validation against '.' and '..' directories used in path - not allowed
+ var result = commonFS_.checkPathWithoutDots(_outputPath);
+ if (!result) {
+ // path contains dots - it is not allowed - return InvalidValuesError
+ throw new WebAPIException(WebAPIException.INVALID_VALUES_ERR,
+ 'Path contains \'.\' or \'..\' - it is not allowed.');
+ }
+
var _outputRealPath = commonFS_.toRealPath(_outputPath);
if (!_outputRealPath) {
throw new WebAPIException(WebAPIException.INVALID_VALUES_ERR, 'Path is not valid');
}
var _newPath = this.fullPath + '/' + args.filePath;
+
+ // Validation against '.' and '..' directories used in path - not allowed
+ var result = commonFS_.checkPathWithoutDots(_newPath);
+ if (!result) {
+ // path contains dots - it is not allowed - return InvalidValuesError
+ throw new WebAPIException(WebAPIException.INVALID_VALUES_ERR,
+ 'Path contains \'.\' or \'..\' - it is not allowed.');
+ }
+
var _realPath = commonFS_.toRealPath(_newPath);
if (!_realPath) {
return;
}
+ // Validation against '.' and '..' directories used in path - not allowed
+ var result = commonFS_.checkPathWithoutDots(args.directoryPath);
+ if (!result) {
+ // path contains dots - it is not allowed - return InvalidValuesError
+ setTimeout(function() {
+ native_.callIfPossible(args.onerror,
+ new WebAPIException(WebAPIException.INVALID_VALUES_ERR,
+ 'Path contains \'.\' or \'..\' - it is not allowed.'));
+ }, 0);
+ return;
+ }
+
var _myPath = commonFS_.toRealPath(args.directoryPath);
if (_myPath !== undefined && !commonFS_.f_isSubDir(_myPath, this.fullPath)) {
return;
}
+ // Validation against '.' and '..' directories used in path - not allowed
+ var result = commonFS_.checkPathWithoutDots(args.filePath);
+ if (!result) {
+ // path contains dots - it is not allowed - return InvalidValuesError
+ setTimeout(function() {
+ native_.callIfPossible(args.onerror,
+ new WebAPIException(WebAPIException.INVALID_VALUES_ERR,
+ 'Path contains \'.\' or \'..\' - it is not allowed.'));
+ }, 0);
+ return;
+ }
+
var _fileRealPath = commonFS_.toRealPath(args.filePath);
var _result = native_.callSync('File_statSync', {location: _fileRealPath});
projects / platform / core / api / webapi-plugins.git / commitdiff