From 4d61e9f0345b7d4258f0188496bf912ed52b3097 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Krzysztof=20Ka=C5=BAmierczyk?= <kazm@ibm.com>
Date: Tue, 19 Nov 2024 23:27:42 +0100
Subject: [PATCH] Ref #32 Fixed further Uncontrolled data used in path
 expression
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Krzysztof Kaźmierczyk <kazm@ibm.com>
---
 src/javacore_analyser/javacore_set.py | 30 +++++++++++++++++----------
 1 file changed, 19 insertions(+), 11 deletions(-)

diff --git a/src/javacore_analyser/javacore_set.py b/src/javacore_analyser/javacore_set.py
index 3f23d77..cafa6e2 100644
--- a/src/javacore_analyser/javacore_set.py
+++ b/src/javacore_analyser/javacore_set.py
@@ -49,9 +49,6 @@ def _create_xml_xsl_for_collection(tmp_dir, templates_dir, xml_xsl_filename, col
             f.close()
 
 
-
-
-
 class JavacoreSet:
     """represents a single javacore collection
     consisting of one or more javacore files"""
@@ -150,18 +147,18 @@ def __create_output_files_structure(self, output_dir):
 
     def __generate_htmls_for_threads(self, output_dir, temp_dir_name):
         _create_xml_xsl_for_collection(temp_dir_name + "/threads",
-                                        output_dir + "/data/xml/threads", "thread",
-                                        self.threads,
-                                      "thread")
+                                       output_dir + "/data/xml/threads", "thread",
+                                       self.threads,
+                                       "thread")
         self.generate_htmls_from_xmls_xsls(self.report_xml_file,
                                            temp_dir_name + "/threads",
                                            output_dir + "/threads", )
 
     def __generate_htmls_for_javacores(self, output_dir, temp_dir_name):
         _create_xml_xsl_for_collection(temp_dir_name + "/javacores",
-                                        output_dir + "/data/xml/javacores/", "javacore",
-                                        self.javacores,
-                                      "")
+                                       output_dir + "/data/xml/javacores/", "javacore",
+                                       self.javacores,
+                                       "")
         self.generate_htmls_from_xmls_xsls(self.report_xml_file,
                                            temp_dir_name + "/javacores",
                                            output_dir + "/javacores", )
@@ -484,12 +481,23 @@ def get_javacore_set_in_xml(self):
         finally:
             file.close()
 
+    @staticmethod
+    def validate_uncontrolled_data_used_in_path(path_params):
+        fullpath = os.path.normpath(os.path.join(path_params))
+        if not fullpath.startswith(path_params[0]):
+            raise Exception("Security exception: Uncontrolled data used in path expression")
+        return fullpath
+
     @staticmethod
     def __create_index_html(input_dir, output_dir):
 
         # Copy index.xml and report.xsl to temp - for index.html we don't need to generate anything. Copying is enough.
-        shutil.copy2(output_dir + "/data/xml/index.xml", input_dir)
-        shutil.copy2(output_dir + "/data/xml/report.xsl", input_dir)
+        #index_xml = validate_uncontrolled_data_used_in_path([output_dir, "data", "xml", "index.xml"])
+        index_xml = os.path.normpath(importlib_resources.files("javacore_analyser") / "data" / "xml" / "index.xml")
+        shutil.copy2(index_xml, input_dir)
+
+        report_xsl = os.path.normpath(importlib_resources.files("javacore_analyser") / "data" / "xml" / "report.xsl")
+        shutil.copy2(report_xsl, input_dir)
 
         xslt_doc = etree.parse(input_dir + "/report.xsl")
         xslt_transformer = etree.XSLT(xslt_doc)