Ref #12 Fixed Uncontrolled data used in path expression

Signed-off-by: Krzysztof Kaźmierczyk <[email protected]>
IBM · Nov 19, 2024 · 6f61144 · 6f61144
1 parent f0d3c34
commit 6f61144
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/src/javacore_analyser/javacore_set.py b/src/javacore_analyser/javacore_set.py
@@ -136,7 +136,9 @@ def generate_report_files(self, output_dir):
     def __create_output_files_structure(self, output_dir):
         if not os.path.isdir(output_dir):
             os.mkdir(output_dir)
-        data_output_dir = output_dir + '/data'
+        data_output_dir = os.path.normpath(os.path.join(output_dir, 'data'))
+        if not data_output_dir.startswith(output_dir):
+            raise Exception("Security exception: Uncontrolled data used in path expression")
         if os.path.isdir(data_output_dir):
             shutil.rmtree(data_output_dir, ignore_errors=True)
         logging.info("Data dir: " + data_output_dir)