Isolate ability to traverse directories when uploading files

Requires that the path an input file is being uploaded to is either the
directory configured via the `batch.files.upload-dir` property or a
subdirectory of it.

Author: mminella

spring-batch-admin-manager/src/main/java/org/springframework/batch/admin/service/LocalFileService.java

@@ -15,9 +15,19 @@
  */
 package org.springframework.batch.admin.service;
 
+import java.io.File;
+import java.io.IOException;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
 import org.apache.commons.io.FileUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.context.ResourceLoaderAware;
 import org.springframework.core.io.ContextResource;
@@ -29,13 +39,6 @@
 import org.springframework.core.io.support.ResourcePatternUtils;
 import org.springframework.util.Assert;
 
-import java.io.File;
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.List;
-
 /**
  * An implementation of {@link FileService} that deals with files only in the
  * local file system. Files and triggers are created in subdirectories of the
@@ -93,6 +96,16 @@ public FileInfo createFile(String path) throws IOException {
 		}
 
 		File directory = new File(outputDir, parent);
+
+		try {
+			if(!new URI(directory.getAbsolutePath()).normalize().getPath().startsWith(this.outputDir.getAbsolutePath())) {
+				throw new IllegalArgumentException("Can not write to directory: " + directory.getAbsolutePath());
+			}
+		}
+		catch (URISyntaxException e) {
+			throw new IOException(e);
+		}
+
 		directory.mkdirs();
 		Assert.state(directory.exists() && directory.isDirectory(), "Could not create directory: " + directory);
 
@@ -244,6 +257,7 @@ private String sanitize(String path) {
 				path = path.substring(1);
 			}
 		}
+
 		return path;
 	}
 

spring-batch-admin-manager/src/main/resources/META-INF/spring/batch/bootstrap/integration/file-context.xml

@@ -15,6 +15,7 @@
 	<bean id="fileService" class="org.springframework.batch.admin.service.LocalFileService"
 			xmlns="http://www.springframework.org/schema/beans">
 		<property name="fileSender" ref="fileSender" />
+		<property name="outputDir" value="${batch.files.upload-dir:#{systemProperties['java.io.tmpdir']}}"/>
 	</bean>
 
 	<bean id="customEditorConfigurer" class="org.springframework.beans.factory.config.CustomEditorConfigurer"

spring-batch-admin-manager/src/main/resources/META-INF/spring/batch/bootstrap/integration/restart-context.xml

@@ -1,7 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<beans:beans xmlns="http://www.springframework.org/schema/integration" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:beans="http://www.springframework.org/schema/beans" xmlns:p="http://www.springframework.org/schema/p"
-	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+<beans:beans xmlns="http://www.springframework.org/schema/integration"
+			 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+			 xmlns:beans="http://www.springframework.org/schema/beans"
+			 xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
 		http://www.springframework.org/schema/integration http://www.springframework.org/schema/integration/spring-integration.xsd">
 
 	<channel id="job-launches" />

spring-batch-admin-manager/src/test/java/org/springframework/batch/admin/service/LocalFileServiceIntegrationTests.java

@@ -1,11 +1,7 @@
 package org.springframework.batch.admin.service;
 
-import static org.junit.Assert.assertNotNull;
-import static org.junit.Assert.assertTrue;
-
 import java.io.File;
 
-import org.apache.commons.io.FileUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.junit.Before;
@@ -24,6 +20,9 @@
 import org.springframework.test.context.ContextConfiguration;
 import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+
 @ContextConfiguration
 @RunWith(SpringJUnit4ClassRunner.class)
 public class LocalFileServiceIntegrationTests {
@@ -49,7 +48,14 @@ public void handleMessage(Message<?> message) throws MessageRejectedException, M
 
 	@Before
 	public void setUp() throws Exception {
-		FileUtils.deleteDirectory(service.getUploadDirectory());
+		File bucket = new File(service.getUploadDirectory(), "spam/bucket");
+		if(bucket.exists()) {
+			bucket.delete();
+		}
+		File crap = new File(service.getUploadDirectory(), "spam/bucket/crap");
+		if(crap.exists()) {
+			crap.delete();
+		}
 		files.unsubscribe(handler);
 		files.subscribe(handler);
 	}

spring-batch-admin-manager/src/test/java/org/springframework/batch/admin/service/LocalFileServiceJobIntegrationTests.java

@@ -1,9 +1,7 @@
 package org.springframework.batch.admin.service;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
+import java.io.File;
 
-import org.apache.commons.io.FileUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.junit.Before;
@@ -29,6 +27,9 @@
 import org.springframework.test.context.ContextConfiguration;
 import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
 @ContextConfiguration
 @RunWith(SpringJUnit4ClassRunner.class)
 @DirtiesContext(classMode=ClassMode.AFTER_CLASS)
@@ -54,7 +55,14 @@ public class LocalFileServiceJobIntegrationTests {
 
 	@Before
 	public void setUp() throws Exception {
-		FileUtils.deleteDirectory(service.getUploadDirectory());
+		File bucket = new File(service.getUploadDirectory(), "foo/crap");
+		if(bucket.exists()) {
+			bucket.delete();
+		}
+		File crap = new File(service.getUploadDirectory(), "staging/crap");
+		if(crap.exists()) {
+			crap.delete();
+		}
 	}
 
 	@Test

spring-batch-admin-manager/src/test/resources/batch-derby.properties

@@ -9,3 +9,4 @@ batch.schema.script=classpath:/org/springframework/batch/core/schema-derby.sql
 batch.drop.script=classpath:/org/springframework/batch/core/schema-drop-derby.sql
 batch.business.schema.script=business-schema-derby.sql
 batch.verify.cursor.position=false
+# batch.files.upload-dir=/sba/input

spring-batch-admin-manager/src/test/resources/batch-h2.properties

@@ -8,3 +8,4 @@ batch.database.incrementer.class=org.springframework.jdbc.support.incrementer.H2
 batch.schema.script=classpath:/org/springframework/batch/core/schema-h2.sql
 batch.drop.script=classpath:/org/springframework/batch/core/schema-drop-h2.sql
 batch.business.schema.script=classpath:/business-schema-h2.sql
+# batch.files.upload-dir=/sba/input

spring-batch-admin-manager/src/test/resources/batch-hsql.properties

@@ -10,3 +10,4 @@ batch.database.incrementer.class=org.springframework.jdbc.support.incrementer.Hs
 batch.schema.script=classpath*:/org/springframework/batch/core/schema-hsqldb.sql
 batch.drop.script=classpath*:/org/springframework/batch/core/schema-drop-hsqldb.sql
 batch.business.schema.script=classpath*:/business-schema-hsqldb.sql
+# batch.files.upload-dir=/sba/input

spring-batch-admin-manager/src/test/resources/batch-mysql.properties

@@ -8,3 +8,4 @@ batch.database.incrementer.class=org.springframework.jdbc.support.incrementer.My
 batch.schema.script=classpath:/org/springframework/batch/core/schema-mysql.sql
 batch.drop.script=classpath:/org/springframework/batch/core/schema-drop-mysql.sql
 batch.business.schema.script=classpath:business-schema-mysql.sql
+# batch.files.upload-dir=/sba/input

spring-batch-admin-manager/src/test/resources/org/springframework/batch/admin/service/LocalFileServiceIntegrationTests-context.xml

@@ -1,10 +1,21 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans" 
-	xmlns:integration="http://www.springframework.org/schema/integration"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xsi:schemaLocation="http://www.springframework.org/schema/batch http://www.springframework.org/schema/batch/spring-batch-2.2.xsd
-		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
-		http://www.springframework.org/schema/integration http://www.springframework.org/schema/integration/spring-integration.xsd">
+<beans xmlns="http://www.springframework.org/schema/beans"
+	   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	   xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<bean id="placeholderProperties" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
+		<property name="locations">
+			<list>
+				<value>classpath:/org/springframework/batch/admin/bootstrap/batch.properties</value>
+				<value>classpath:batch-default.properties</value>
+				<value>classpath:batch-${ENVIRONMENT:hsql}.properties</value>
+			</list>
+		</property>
+		<property name="systemPropertiesModeName" value="SYSTEM_PROPERTIES_MODE_OVERRIDE" />
+		<property name="ignoreResourceNotFound" value="true" />
+		<property name="ignoreUnresolvablePlaceholders" value="false" />
+		<property name="order" value="1" />
+	</bean>
 
 	<import resource="classpath*:/META-INF/spring/batch/bootstrap/integration/file-context.xml" />