From 930460424c715f52a7cb5eef5b084a7a8ef31fb5 Mon Sep 17 00:00:00 2001
From: Olivier Lamy <olamy@apache.org>
Date: Mon, 5 Sep 2022 13:38:49 +1000
Subject: [PATCH] validate path

Signed-off-by: Olivier Lamy <olamy@apache.org>
---
 .../archiva-web/archiva-webapp/pom.xml        | 113 ------------------
 .../ManagedDefaultRepositoryContent.java      |   7 ++
 2 files changed, 7 insertions(+), 113 deletions(-)

diff --git a/archiva-modules/archiva-web/archiva-webapp/pom.xml b/archiva-modules/archiva-web/archiva-webapp/pom.xml
index 6e0c55e90..a6152f641 100644
--- a/archiva-modules/archiva-web/archiva-webapp/pom.xml
+++ b/archiva-modules/archiva-web/archiva-webapp/pom.xml
@@ -591,46 +591,6 @@
         </exclusion>
       </exclusions>
     </dependency>
-
-
-    <!-- sirona -->
-    <!--
-    FIXME for some reasons doesn't work with the jetty app see MRM-1792
-    <dependency>
-      <groupId>org.apache.sirona</groupId>
-      <artifactId>sirona-core</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.sirona</groupId>
-      <artifactId>sirona-jdbc</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.sirona</groupId>
-      <artifactId>sirona-web</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.sirona</groupId>
-      <artifactId>sirona-spring</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.sirona</groupId>
-      <artifactId>sirona-reporting</artifactId>
-      <classifier>classes</classifier>
-    </dependency>
-    -->
-    <!--
-    <dependency>
-      <groupId>org.apache.sirona</groupId>
-      <artifactId>sirona-ehcache-agent</artifactId>
-    </dependency>
-
-
-    <dependency>
-      <groupId>org.apache.sirona</groupId>
-      <artifactId>sirona-cassandra</artifactId>
-    </dependency>
-    -->
-
     <dependency>
       <groupId>cglib</groupId>
       <artifactId>cglib</artifactId>
@@ -865,79 +825,6 @@
 
     <plugins>
 
-      <!-- commented as not needed now
-      <plugin>
-        <groupId>com.samaxes.maven</groupId>
-        <artifactId>maven-minify-plugin</artifactId>
-        <version>1.3.5</version>
-        <executions>
-          <execution>
-            <id>startup-minify</id>
-            <phase>generate-resources</phase>
-            <configuration>
-              <webappSourceDir>${basedir}/src/main/webapp</webappSourceDir>
-              <cssSourceDir>css</cssSourceDir>
-              <cssSourceFiles>
-                <cssSourceFile>jquery-ui-1.8.16.custom.css</cssSourceFile>
-                <cssSourceFile>jquery.ui.1.8.16.ie.css</cssSourceFile>
-                <cssSourceFile>bootstrap.2.0.2.css</cssSourceFile>
-                <cssSourceFile>archiva.css</cssSourceFile>
-              </cssSourceFiles>
-              <cssFinalFile>apache-archiva-${project.version}.css</cssFinalFile>
-              <jsSourceDir>js</jsSourceDir>
-              <jsSourceFiles>
-                <jsSourceFile>jquery-1.7.2.js</jsSourceFile>
-                <jsSourceFile>lab.js</jsSourceFile>
-                <jsSourceFile>require.1.0.1.js</jsSourceFile>
-              </jsSourceFiles>
-              <jsFinalFile>apache-archiva-startup-${project.version}.js</jsFinalFile>
-            </configuration>
-            <goals>
-              <goal>minify</goal>
-            </goals>
-          </execution>
-          <execution>
-            <id>main-minify</id>
-            <phase>generate-resources</phase>
-            <configuration>
-              <webappSourceDir>${basedir}/src/main/webapp</webappSourceDir>
-              <jsSourceDir>js</jsSourceDir>
-              <jsSourceFiles>
-                <jsSourceFile>jquery.tmpl.js</jsSourceFile>
-                <jsSourceFile>archiva/utils.js</jsSourceFile>
-                <jsSourceFile>jquery.i18n.properties-1.0.9.js</jsSourceFile>
-                <jsSourceFile>archiva/i18nload.js</jsSourceFile>
-                <jsSourceFile>jquery.cookie.1.0.0.js</jsSourceFile>
-                <jsSourceFile>knockout-debug.js</jsSourceFile>
-                <jsSourceFile>jquery-ui-1.8.16.custom.min.js</jsSourceFile>
-                <jsSourceFile>jquery.validate.js</jsSourceFile>
-                <jsSourceFile>jquery.json-2.3.min.js</jsSourceFile>
-                <jsSourceFile>archiva/main-tmpl.js</jsSourceFile>
-                <jsSourceFile>archiva/repositories.js</jsSourceFile>
-                <jsSourceFile>archiva/network-proxies.js</jsSourceFile>
-                <jsSourceFile>archiva/proxy-connectors.js</jsSourceFile>
-                <jsSourceFile>redback/operation.js</jsSourceFile>
-                <jsSourceFile>redback/redback-tmpl.js</jsSourceFile>
-                <jsSourceFile>bootstrap.2.0.2.js</jsSourceFile>
-                <jsSourceFile>knockout.simpleGrid.js</jsSourceFile>
-                <jsSourceFile>redback/user.js</jsSourceFile>
-                <jsSourceFile>redback/users.js</jsSourceFile>
-                <jsSourceFile>redback/redback.js</jsSourceFile>
-                <jsSourceFile>redback/register.js</jsSourceFile>
-                <jsSourceFile>redback/permission.js</jsSourceFile>
-                <jsSourceFile>redback/resource.js</jsSourceFile>
-                <jsSourceFile>redback/roles.js</jsSourceFile>
-                <jsSourceFile>archiva/main.js</jsSourceFile>
-              </jsSourceFiles>
-              <jsFinalFile>apache-archiva-main-${project.version}.js</jsFinalFile>
-            </configuration>
-            <goals>
-              <goal>minify</goal>
-            </goals>
-          </execution>
-        </executions>
-      </plugin>
-      -->
       <plugin>
         <groupId>org.apache.tomcat.maven</groupId>
         <artifactId>tomcat7-maven-plugin</artifactId>
diff --git a/archiva-modules/plugins/maven2-repository/src/main/java/org/apache/archiva/repository/content/maven2/ManagedDefaultRepositoryContent.java b/archiva-modules/plugins/maven2-repository/src/main/java/org/apache/archiva/repository/content/maven2/ManagedDefaultRepositoryContent.java
index aa4ca8a5a..3304d4868 100644
--- a/archiva-modules/plugins/maven2-repository/src/main/java/org/apache/archiva/repository/content/maven2/ManagedDefaultRepositoryContent.java
+++ b/archiva-modules/plugins/maven2-repository/src/main/java/org/apache/archiva/repository/content/maven2/ManagedDefaultRepositoryContent.java
@@ -91,6 +91,13 @@ public class ManagedDefaultRepositoryContent
         {
             throw new ContentNotFoundException( "cannot found project " + namespace + ":" + projectId );
         }
+        try {
+            if (!directory.getCanonicalPath().equals(directory.getAbsolutePath())) {
+                throw new ContentNotFoundException( "Invalid directory for project " + namespace + ":" + projectId );
+            }
+        } catch (IOException e) {
+            throw new RepositoryException(e.getMessage(), e);
+        }
         if ( directory.isDirectory() )
         {
             try
-- 
2.39.5