oscerd commented on code in PR #24180:
URL: https://github.com/apache/camel/pull/24180#discussion_r3459960339
##########
components/camel-file/src/main/java/org/apache/camel/component/file/GenericFileHelper.java:
##########
@@ -16,16 +16,39 @@
*/
package org.apache.camel.component.file;
+import java.io.File;
import java.util.function.Supplier;
import org.apache.camel.Exchange;
import org.apache.camel.support.MessageHelper;
+import org.apache.camel.util.FileUtil;
public final class GenericFileHelper {
private GenericFileHelper() {
}
+ /**
+ * Ensures the resolved local work file stays within the configured local
work directory. The remote file name used
+ * to build the local work file path may contain {@code ../} sequences
that would otherwise resolve to a path
+ * outside the work directory.
+ *
+ * @param target the resolved local work
file (or its in-progress temp file)
Review Comment:
Good call — applied here rather than as a follow-up (commit 9709484).
`jailStartingDirectory` is now `label = "common"` (was `"producer"`) with an
expanded description noting that, for consumers using a `localWorkDirectory`,
it also restricts downloads to within that directory. It now appears in the
common options for all file-based components, and the catalog/component
metadata + endpoint-dsl factories are regenerated in this PR.
Since this PR introduces the consumer-side semantic, documenting it here
also keeps the 4.18.x / 4.14.x backports consistent (the option governs
consumer downloads on those branches too).
_Claude Code on behalf of Andrea Cosentino_
##########
components/camel-smb/src/main/java/org/apache/camel/component/smb/SmbOperations.java:
##########
@@ -337,12 +338,19 @@ private boolean
retrieveFileToFileInLocalWorkDirectory(String name, Exchange exc
// use relative filename in local work directory
String relativeName = file.getRelativeFilePath();
+ java.io.File localWorkDir = local;
temp = new java.io.File(local, relativeName + ".inprogress");
// create directory to local work file
local.mkdirs();
local = new java.io.File(local, relativeName);
+ // ensure the local work file stays within the local work
directory (CAMEL-23765)
+ if (endpoint.isJailStartingDirectory()) {
Review Comment:
Done (commit 9709484) — reordered so the jail check runs before directory
creation, matching `FtpOperations` / `SftpOperations` / `MinaSftpOperations` /
`FilesOperations`. I kept SMB's existing `mkdirs()` on the base work directory
(now `localWorkDir.mkdirs()`, equivalent to the previous `local.mkdirs()` call)
rather than switching to `local.mkdirs()` on the full path, to avoid changing
pre-existing behavior unrelated to this fix.
_Claude Code on behalf of Andrea Cosentino_
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
