NGResourceLoader.FileSystemDirectoryResourceSource.resourceWithPath() (around line 184) calls Path.resolve(resourcePath) without normalization or containment check. A request for ../../../etc/passwd resolves outside the intended resource directory.
Affected code
ng-appserver/src/main/java/ng/appserver/resources/NGResourceLoader.java — FileSystemDirectoryResourceSource.
Classpath-based resource sources are not affected (they use ClassLoader resolution, which is safe).
Fix
Normalize the resolved path and verify it remains within the base directory. Roughly:
final Path base = _baseDirectory.toAbsolutePath().normalize();
final Path resolved = base.resolve(resourcePath).normalize();
if (!resolved.startsWith(base)) {
return null; // or throw
}Severity
Critical — allows reading arbitrary files on disk from the filesystem resource source. M2 blocker.
NGResourceLoader.FileSystemDirectoryResourceSource.resourceWithPath()(around line 184) callsPath.resolve(resourcePath)without normalization or containment check. A request for../../../etc/passwdresolves outside the intended resource directory.Affected code
ng-appserver/src/main/java/ng/appserver/resources/NGResourceLoader.java—FileSystemDirectoryResourceSource.Classpath-based resource sources are not affected (they use
ClassLoaderresolution, which is safe).Fix
Normalize the resolved path and verify it remains within the base directory. Roughly:
Severity
Critical — allows reading arbitrary files on disk from the filesystem resource source. M2 blocker.