[KEYCLOAK-19422] ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader

2021-10-14 15:47:57 -07:00 · 2021-10-14 15:47:57 -07:00 · 73f0474008
commit 73f0474008
parent 7d0af8519b
3 changed files with 37 additions and 3 deletions
--- a/services/src/main/java/org/keycloak/theme/ClassLoaderTheme.java
+++ b/services/src/main/java/org/keycloak/theme/ClassLoaderTheme.java
@ -105,8 +105,19 @@ public class ClassLoaderTheme implements Theme {
    }

    @Override
-    public InputStream getResourceAsStream(String path) {
-        return classLoader.getResourceAsStream(resourceRoot + path);
+    public InputStream getResourceAsStream(String path) throws IOException {
+        final URL rootResourceURL = classLoader.getResource(resourceRoot);
+        if (rootResourceURL == null) {
+            return null;
+        }
+        final String rootPath = rootResourceURL.getPath();
+        final URL resourceURL = classLoader.getResource(resourceRoot + path);
+        if(resourceURL == null || !resourceURL.getPath().startsWith(rootPath)) {
+            return null;
+        }
+        else {
+            return resourceURL.openConnection().getInputStream();
+        }
    }

    @Override
--- a/services/src/main/java/org/keycloak/theme/ClasspathThemeResourceProviderFactory.java
+++ b/services/src/main/java/org/keycloak/theme/ClasspathThemeResourceProviderFactory.java
@ -39,7 +39,18 @@ public class ClasspathThemeResourceProviderFactory implements ThemeResourceProvi

    @Override
    public InputStream getResourceAsStream(String path) throws IOException {
-        return classLoader.getResourceAsStream(THEME_RESOURCES_RESOURCES + path);
+        final URL rootResourceURL = classLoader.getResource(THEME_RESOURCES_RESOURCES);
+        if (rootResourceURL == null) {
+            return null;
+        }
+        final String rootPath = rootResourceURL.getPath();
+        final URL resourceURL = classLoader.getResource(THEME_RESOURCES_RESOURCES + path);
+        if(resourceURL == null || !resourceURL.getPath().startsWith(rootPath)) {
+            return null;
+        }
+        else {
+            return resourceURL.openConnection().getInputStream();
+        }
    }

    @Override
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/theme/ThemeResourceProviderTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/theme/ThemeResourceProviderTest.java
@ -73,6 +73,18 @@ public class ThemeResourceProviderTest extends AbstractTestRealmKeycloakTest {
        });
    }

+    @Test
+    public void getResourceIllegalTraversal() {
+        testingClient.server().run(session -> {
+            try {
+                Theme theme = session.theme().getTheme("base", Theme.Type.LOGIN);
+                Assert.assertNull(theme.getResourceAsStream("../templates/test.ftl"));
+            } catch (IOException e) {
+                Assert.fail(e.getMessage());
+            }
+        });
+    }
+
    @Test
    public void gzipEncoding() throws IOException {
        final String resourcesVersion = testingClient.server().fetch(session -> Version.RESOURCES_VERSION, String.class);