Java SecurityManager to prevent .. directory usage

Question

I want to forbid a spring webapp (running in tomcat) from using any file paths that include ".." in them.

Obviously the first place to do this is at the points where user information is sanitized before being used in file paths. However, there are hundreds of places in the app that do file access and it would take quite a lot of effort to manually verify that all of them are implemented correctly.

I'd like to just do something like add or modify the Java SecurityManager to prevent filenames from having ".." in them.

My first attempt was to create my own SecurityManager and override methods like checkRead and checkWrite, but it turns out that's not sufficient. The default implementation of the methods appear to disallow everything anyaway, so I suspect creating one from scratch isn't really the way it's supposed to be done.

Another possibility I suppose would be to use aspectj, but if I can make SecurityManager work that seems like a better idea.

So, what's the simplest thing I can do to disallow ".." in all filenames? Are there any SecurityManager implementations I can just install and use which are meant to make webapps more secure?

Answer 1

Using .. means its using some parent directory. You could use the SecurityManager to check that a file is allowed only if its inside your allowed directories:

@Override
public void checkPermission(Permission perm) {
    if( perm instanceof FilePermission ) {
        Path path = Paths.get(perm.getName()).normalize().toAbsolutePath();
        //TODO: check that path is in one of allowed directories
        if( !path.toString().startsWith( myAllowedRootDir ) ) 
            throw new SecurityException("Not allowed");
     }
}