security(import): add canonical path escape guard in findFileRecursive

A symlink placed inside importDir pointing to a file outside it would pass isValidImportFilename (no forbidden chars in the symlink name) and be found by Files.walk. Now checks candidate.getCanonicalPath() against baseDir.getCanonicalPath() — if the resolved path escapes importDir, throws DomainException.internal and aborts the import. Adds regression test using @TempDir + Files.createSymbolicLink. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-21 10:16:18 +02:00
parent 4e33f52add
commit eca4f1f0e8
2 changed files with 25 additions and 3 deletions
--- a/backend/src/main/java/org/raddatz/familienarchiv/importing/MassImportService.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/importing/MassImportService.java
@@ -490,11 +490,18 @@ public class MassImportService {
    }

    private Optional<File> findFileRecursive(String filename) {
-        try (Stream<Path> walk = Files.walk(Paths.get(importDir))) {
-            return walk.filter(p -> !Files.isDirectory(p))
+        File baseDir = new File(importDir);
+        try (Stream<Path> walk = Files.walk(baseDir.toPath())) {
+            Optional<Path> match = walk.filter(p -> !Files.isDirectory(p))
                    .filter(p -> p.getFileName().toString().equals(filename))
-                    .map(Path::toFile)
                    .findFirst();
+            if (match.isEmpty()) return Optional.empty();
+            File candidate = match.get().toFile();
+            String baseDirCanonical = baseDir.getCanonicalPath();
+            if (!candidate.getCanonicalPath().startsWith(baseDirCanonical + File.separator)) {
+                throw DomainException.internal(ErrorCode.INTERNAL_ERROR, "Path escape detected: " + candidate);
+            }
+            return Optional.of(candidate);
        } catch (IOException e) {
            return Optional.empty();
        }
--- a/backend/src/test/java/org/raddatz/familienarchiv/importing/MassImportServiceTest.java
+++ b/backend/src/test/java/org/raddatz/familienarchiv/importing/MassImportServiceTest.java
@@ -758,6 +758,21 @@ class MassImportServiceTest {
                .containsExactly(MassImportService.SkipReason.FILE_READ_ERROR);
    }

+    // ─── findFileRecursive — symlink escape security regression — do not remove ─
+
+    @Test
+    void findFileRecursive_throwsDomainException_whenSymlinkEscapesImportDir(
+            @TempDir Path importDirPath, @TempDir Path outsideDir) throws Exception {
+        Path outsideFile = outsideDir.resolve("secret.pdf");
+        Files.writeString(outsideFile, "sensitive content");
+        Files.createSymbolicLink(importDirPath.resolve("secret.pdf"), outsideFile);
+
+        ReflectionTestUtils.setField(service, "importDir", importDirPath.toString());
+
+        assertThatThrownBy(() -> ReflectionTestUtils.invokeMethod(service, "findFileRecursive", "secret.pdf"))
+                .isInstanceOf(DomainException.class);
+    }
+
    // ─── readOds — XXE security regression ───────────────────────────────────

    // Security regression — do not remove.