security(import): reject path-traversal filenames from ODS in MassImportService.processRows #530

New Issue

Open

opened 2026-05-11 20:13:41 +02:00 by marcel · 0 comments

marcel commented 2026-05-11 20:13:41 +02:00

Owner

Copy Link

Type: Security hardening (defense-in-depth)
Priority: P2-medium — current code accidentally safe; codify the constraint so a future refactor doesn't silently break it
Source: review of #526 by Nora "NullX" Steiner — comment #8648, finding 6
Parent PR: #526 (mass-import bind mount → first prod-reachable use)

Summary

Reject ODS-supplied filenames that contain path separators, .. segments, or absolute paths before findFileRecursive runs. Today the impact is bounded by an implementation detail; this issue makes the constraint explicit and tested.

Context

The ODS spreadsheet contains filenames in cells. MassImportService.processRows (MassImportService.java:121) maps those cells to files via findFileRecursive(filename) which walks /import and matches on p.getFileName().toString().equals(filename). Currently no validation that the spreadsheet-supplied filename is a plain name without separators or traversal segments.

Today the impact is limited because findFileRecursive matches on getFileName().equals(...), so a cell value like ../etc/passwd would not match anything under /import (no file with that exact basename exists). But if anyone later refactors findFileRecursive to use a path-join (which is the natural-looking thing to do), the protection silently disappears.

With #526 making this prod-reachable, codifying the constraint now prevents that refactor from being a silent vulnerability.

Required

1. Add a validateImportFilename(String) guard at the top of processRows (or wherever the cell value is first read).
2. Reject if any of:
   • null or blank
   • contains / or \ (no path components)
   • contains .. segments
   • is . or ..
   • is an absolute path (Paths.get(name).isAbsolute())
3. On reject, increment the same skipped counter introduced by #529 and log with sanitized SLF4J pattern.
4. Permanent regression tests for each rejection case + happy path.

Acceptance criteria

• All rejection cases above have failing-then-passing tests
• Guard runs before findFileRecursive, not inside it (cheaper, more explicit)
• Status message lists rejected cell values
• Shares the skipped counter with #529 — no duplicate field

Linked NFRs

• Security: Filenames sourced from spreadsheet input MUST be plain basenames with no path components.
• Maintainability: Validation MUST live at the input boundary, not inside lookup helpers, so future refactors can't silently bypass it.

Dependencies

• Shares the ImportStatus.skipped field with #529 — pick whichever lands first; the second reuses it.

Definition of Ready

• Validation rules enumerated
• Insertion point identified (processRows, before findFileRecursive)
• Dependency on #529 noted
• Acceptance criteria testable

🤖 Generated with Claude Code during /implement on #526

**Type:** Security hardening (defense-in-depth) **Priority:** P2-medium — current code accidentally safe; codify the constraint so a future refactor doesn't silently break it **Source:** review of #526 by Nora "NullX" Steiner — comment [#8648](https://git.raddatz.cloud/marcel/familienarchiv/pulls/526#issuecomment-8648), finding 6 **Parent PR:** #526 (mass-import bind mount → first prod-reachable use) ## Summary Reject ODS-supplied filenames that contain path separators, `..` segments, or absolute paths *before* `findFileRecursive` runs. Today the impact is bounded by an implementation detail; this issue makes the constraint explicit and tested. ## Context The ODS spreadsheet contains filenames in cells. `MassImportService.processRows` (`MassImportService.java:121`) maps those cells to files via `findFileRecursive(filename)` which walks `/import` and matches on `p.getFileName().toString().equals(filename)`. Currently no validation that the spreadsheet-supplied filename is a plain name without separators or traversal segments. Today the impact is *limited* because `findFileRecursive` matches on `getFileName().equals(...)`, so a cell value like `../etc/passwd` would not match anything under `/import` (no file with that exact basename exists). **But** if anyone later refactors `findFileRecursive` to use a path-join (which is the natural-looking thing to do), the protection silently disappears. With #526 making this prod-reachable, codifying the constraint now prevents that refactor from being a silent vulnerability. ## Required 1. Add a `validateImportFilename(String)` guard at the top of `processRows` (or wherever the cell value is first read). 2. Reject if any of: - `null` or blank - contains `/` or `\` (no path components) - contains `..` segments - is `.` or `..` - is an absolute path (`Paths.get(name).isAbsolute()`) 3. On reject, increment the same `skipped` counter introduced by #529 and log with sanitized SLF4J pattern. 4. Permanent regression tests for each rejection case + happy path. ## Acceptance criteria - [ ] All rejection cases above have failing-then-passing tests - [ ] Guard runs *before* `findFileRecursive`, not inside it (cheaper, more explicit) - [ ] Status message lists rejected cell values - [ ] Shares the `skipped` counter with #529 — no duplicate field ## Linked NFRs - **Security:** Filenames sourced from spreadsheet input MUST be plain basenames with no path components. - **Maintainability:** Validation MUST live at the input boundary, not inside lookup helpers, so future refactors can't silently bypass it. ## Dependencies - Shares the `ImportStatus.skipped` field with #529 — pick whichever lands first; the second reuses it. ## Definition of Ready - [x] Validation rules enumerated - [x] Insertion point identified (`processRows`, before `findFileRecursive`) - [x] Dependency on #529 noted - [x] Acceptance criteria testable 🤖 Generated with [Claude Code](https://claude.com/claude-code) during /implement on #526

marcel referenced this issue 2026-05-11 20:14:42 +02:00

feat(infra): bind-mount /import for backend mass-import endpoint #526

marcel referenced this issue 2026-05-11 20:36:23 +02:00

ui(admin/system): improve mass-import status card (loading state, i18n, font size) #533

marcel added the P2-mediumsecurity labels 2026-05-11 20:36:41 +02:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

feat/issue-533-mass-import-ux

feat/issue-527-unsaved-warning-new-pages

worktree-feat+issue-557-upload-artifact-v3-pin

worktree-chore+issue-556-drop-client-branches-coverage-gate

fix/issue-514-prerender-crawl-bakes-redirects

fix/issue-472-prerender-entries

feat/issue-395-readme

feat/issue-345-bulk-mark-reviewed

feat/issue-344-bell-tooltip

feat/issue-341-annotieren-contrast

feat/issue-225-bulk-metadata-edit

feat/issue-317-bulk-upload

feat/issue-271-dashboard-redesign

docs/issue-240-mission-control-spec

refactor/issues-193-200

feat/issue-162-korrespondenz-redesign

feature/68-new-document-file-first

feat/81-discussion-discoverability

feat/62-document-bottom-panel

feature/56-backfill-file-hashes

feat/38-document-edit-history

fix/svelte5-test-delegation-and-login-auth

No results found.

Labels

Clear labels

P0-critical

Blocks a core user journey, causes data loss, or is a security/accessibility barrier. Work on this before P1+.

P1-high

Significant friction on a main user journey; workaround exists but is non-obvious. Next up after P0.

P2-medium

Noticeable improvement; doesn't block anything; schedule opportunistically.

P3-later

Cosmetic or parking-lot work; fine to stay open indefinitely.

audit

Read-only audit / assessment work; produces a report rather than changing code

bug

Something isn't working

cleanup

Removal of dead code, vague comments, naming violations, and scratch artifacts

collaboration

We want to extend the family archive to have more collaboration tools

conversation

descoped

We will do that later

devops

documentation

README, ARCHITECTURE, GLOSSARY, CONTRIBUTING, per-domain docs

epic

Marker for epic-level issues that group multiple child issues

feature

file-upload

legibility

Codebase Legibility Refactor — preparing the codebase for human evaluation and bus-factor reduction

notification

person

phase-1: security

Security hygiene — must be done first

phase-2: container-images

Production-ready multi-stage Docker images

phase-3: prod-compose

Production compose overlay + Caddy reverse proxy

phase-4: spring-prod-profile

Spring Boot production configuration profile

phase-5: backups

Database and object storage backup strategy

phase-6: deployment-docs

.env.example, DEPLOYMENT.md, runbook

phase-7: monitoring

Prometheus, Loki, Grafana, Alertmanager

refactor

Code restructuring without behaviour change

security

test

ui

UI/UX and accessibility issues

user

No Label P2-medium security

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Jens marcel

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: marcel/familienarchiv#530