[REEF-2019] Enforce uncompressed files are within the current working directory in EvaluatorShim - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: REEF-Runtime-AZBatch
Labels:
None

Description

When compressed files are uncompressed, the files can be created outside the current working directory in EvaluatorShim (L295).

[https://github.com/apache/reef/blob/561a336f2f0dda8f4a67a96179750a76167b038f/lang/java/reef-runtime-azbatch/src/main/java/org/apache/reef/runtime/azbatch/evaluator/EvaluatorShim.java#L295

]

We will enforce that uncompressed files in EvaluatorShim are within the current working directory. If not, an exception will be raised.

markus.weimer suggested the following fix.

final Path reefPath = this.reefFileNames.getREEFFolder().toPath();
...
final Path destination = new File(this.reefFileNames.getREEFFolder(),
zipEntry.getName()).toPath();
if(!destination.startsWith(reefPath))

{ throw new IOException("Trying to unzip a file outside of the destination folder: " + destination); }

Files.copy(inputStream, destination);

Assigning this issue to gyewonlee.

Attachments

Issue Links

links to

GitHub Pull Request #1463

GitHub Pull Request #1475

Activity

People

Assignee:: Gyewon Lee

Reporter:: Byung-Gon Chun

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 18/May/18 06:25

Updated:: 12/Jun/18 04:35