-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 2021.40, 2023.1
-
Component/s: Core
-
Release Notes Summary:Path traversals are detected more precisely.
-
Tags:
-
Backlog priority:900
-
Team:PLATFORM
-
Sprint:nxplatform #117
-
Story Points:3
Since NXP-31583, exported ZIP archive cannot be reimported to Nuxeo if a document name contains path traversal values: the commit https://github.com/nuxeo/nuxeo/commit/02e9077d91e470c16d9d409708cee2f79d935949 now throws an IllegalArgumentException with the message "Illegal path"
As a solution to manage old ZIP imports may be complicated, the request here is to forbid the creation of documents with path traversal values
Steps to reproduce:
- create a File document with the title "test ... for import"
- observe that a document is created with name equal to "test ... for import"
"path": "/default-domain/UserWorkspaces/Administrator/test ... for import", "type": "File",
- do the action Export > Zip export in the UI
- open the zip archive and observe the folder who name is "test ... for import" => this one will produce the exception during the import
Expected behavior: the document name is sanitized at creation time to remove/transform the path traversal values.