LPS-200229 Resolve path traversals in Combo Servlet

izaera · brianchandotcom · commit 9be57d358ae0 · 2023-12-11T19:42:19.000-03:00
diff --git a/portal-impl/src/com/liferay/portal/servlet/ComboServlet.java b/portal-impl/src/com/liferay/portal/servlet/ComboServlet.java
@@ -45,10 +45,12 @@
 import java.io.IOException;
 import java.io.Serializable;
 
+import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.Enumeration;
 import java.util.LinkedHashSet;
+import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.regex.Matcher;
@@ -164,6 +166,12 @@ protected void doService(
 				name = modulePortletId.concat(name);
 			}
 
+			name = _canonicalizePath(name);
+
+			if (Validator.isNull(name)) {
+				continue;
+			}
+
 			modulePathsSet.add(name);
 		}
 
@@ -578,6 +586,36 @@ protected boolean validateModuleExtension(String moduleName)
 		return validModuleExtension;
 	}
 
+	private String _canonicalizePath(String path) {
+		if (!path.contains(StringPool.PERIOD)) {
+			return path;
+		}
+
+		List<String> canonicalParts = new ArrayList<>();
+
+		String[] parts = StringUtil.split(path, StringPool.SLASH);
+
+		for (String part : parts) {
+			if (part.equals(StringPool.PERIOD)) {
+				continue;
+			}
+
+			if (part.equals(StringPool.DOUBLE_PERIOD)) {
+				if (canonicalParts.isEmpty()) {
+					return null;
+				}
+
+				canonicalParts.remove(canonicalParts.size() - 1);
+
+				continue;
+			}
+
+			canonicalParts.add(part);
+		}
+
+		return StringUtil.merge(canonicalParts, StringPool.SLASH);
+	}
+
 	private String _getModulePathExtension(String modulePath) {
 		String resourcePath = getResourcePath(modulePath);
 
diff --git a/portal-impl/test/unit/com/liferay/portal/servlet/ComboServletTest.java b/portal-impl/test/unit/com/liferay/portal/servlet/ComboServletTest.java
@@ -209,6 +209,17 @@ public void testMixedExtensionsRequest() throws Exception {
 			mockHttpServletResponse.getStatus());
 	}
 
+	@Test
+	public void testServiceWithNoncanonicalPaths() throws Exception {
+		_testService(null, "/../js/aui.js", _portalServletContext);
+
+		_testService("/js/aui.js", "/./js/aui.js", _portalServletContext);
+
+		_testService("/js/aui.js", "/js/./aui.js", _portalServletContext);
+
+		_testService("/js/aui.js", "/js/down/../aui.js", _portalServletContext);
+	}
+
 	@Test
 	public void testServiceWithoutPortletIdButWithContext() throws Exception {
 		_testService(
@@ -391,7 +402,7 @@ private void _testService(
 			mockHttpServletRequest, new MockHttpServletResponse());
 
 		Mockito.verify(
-			servletContext
+			servletContext, Mockito.times((path == null) ? 0 : 1)
 		).getRequestDispatcher(
 			path
 		);
