Languages
Wiki
All Wiki Articles Create Wiki Article
programming
java
path
access
security
directory
1 more ...
[Edit]
EN

Java - resolve path and prevent access above parent directory

2 contributors
7 contributions
0 discussions
3 points
Created by:
Creg
9600

In this article, we would like to show simple way how to resolve path and prevent access above parent directory in Java.

It is common to resolve paths on server side in web applications. Simetimes it is necessary to send path as a API parameter what may be dangerous. In that case we need to control the parameter that contains .., ../.., ../../.., etc. The solution for the problem is to use resolve(), normalize() and startsWith() methods what was show in the next section.

Practical example

In this section you will find reusable tool that may be used to resolve paths preventing access above parent directory.

Program.java file:

import java.io.IOException;
import java.nio.file.Paths;

public class Program {

    public static void main(String[] args) throws IOException {

        var publicPath = Paths.get("/home/john/public");  // We allow to resolve paths only under this location.
        
        // Correct paths:
        //
        var picturesPath = PathUtils.resolvePath(publicPath, "pictures");        // ✅ /home/john/public/pictures
        var moviesPath = PathUtils.resolvePath(publicPath, "movies");            // ✅ /home/john/public/movies
        var musicPath = PathUtils.resolvePath(publicPath, "music");              // ✅ /home/john/public/music
        
        // Forbidden paths (they throw IOException: "Access to indicated directory is forbidden."):
        //
        var forbiddenPath1 = PathUtils.resolvePath(publicPath, "..");            // ❌ /home/john
        var forbiddenPath2 = PathUtils.resolvePath(publicPath, "../Desktop");    // ❌ /home/john/Desktop
        var forbiddenPath3 = PathUtils.resolvePath(publicPath, "../../..");      // ❌ /
        var forbiddenPath4 = PathUtils.resolvePath(publicPath, "../../../etc");  // ❌ /etc
    }
}

 

PathUtils.java file:

import java.io.IOException;
import java.nio.file.Path;

public final class PathUtils {

    public static Path resolvePath(Path parent, String path) throws IOException {
        var master = parent.normalize();
        var result = master.resolve(path)
                           .normalize();
        if (result.startsWith(master)) {
            return result;
        }
        throw new IOException("Access to indicated directory is forbidden.");
    }

    public static Path resolvePath(Path parent, Path path) throws IOException {
        var master = parent.normalize();
        var result = master.resolve(path)
                           .normalize();
        if (result.startsWith(master)) {
            return result;
        }
        throw new IOException("Access to indicated directory is forbidden.");
    }
}

 

Alternative titles

  1. Java - resolve path and protect access above parent directory
  2. Java - resolve path and block access above parent directory
  3. Java - resolve path and prevent access over parent directory
  4. Java - resolve path and protect access over parent directory
  5. Java - resolve path and block access over parent directory
  6. Java - resolve path and prevent access above base directory
Donate to Dirask
Our content is created by volunteers - like Wikipedia. If you think, the things we do are good, donate us. Thanks!
Direct link
Join to our subscribers to be up to date with content, news and offers.
Native Advertising
🚀
Get your tech brand or product in front of software developers.
For more information Contact us
Dirask - we help you to
solve coding problems.
Ask question.

❤️💻 🙂

Join