Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-32742

Fix ZIP import for document with path traversal values

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2021.40, 2023.1
    • Fix Version/s: 2025.x, 2021.57, 2023.15
    • Component/s: Core
    • Release Notes Summary:
      Path traversals are detected more precisely.
    • Tags:
    • Backlog priority:
      900
    • Team:
      PLATFORM
    • Sprint:
      nxplatform #117
    • Story Points:
      3

      Description

      Since NXP-31583, exported ZIP archive cannot be reimported to Nuxeo if a document name contains path traversal values: the commit https://github.com/nuxeo/nuxeo/commit/02e9077d91e470c16d9d409708cee2f79d935949 now throws an IllegalArgumentException with the message "Illegal path"

      As a solution to manage old ZIP imports may be complicated, the request here is to forbid the creation of documents with path traversal values

      Steps to reproduce:

      1. create a File document with the title "test ... for import"
      2. observe that a document is created with name equal to "test ... for import" 
        "path": "/default-domain/UserWorkspaces/Administrator/test ... for import",
"type": "File",
      3. do the action Export > Zip export in the UI
      4. open the zip archive and observe the folder who name is "test ... for import" => this one will produce the exception during the import

      Expected behavior: the document name is sanitized at creation time to remove/transform the path traversal values.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: