Skip to content

Reject path traversal filenames during HMEF attachment extraction#1066

Merged
pjfanning merged 1 commit into
apache:trunkfrom
jmestwa-coder:hmef-attachment-path-traversal
May 15, 2026
Merged

Reject path traversal filenames during HMEF attachment extraction#1066
pjfanning merged 1 commit into
apache:trunkfrom
jmestwa-coder:hmef-attachment-path-traversal

Conversation

@jmestwa-coder
Copy link
Copy Markdown
Contributor

@jmestwa-coder jmestwa-coder commented May 12, 2026

Summary

Reject attachment filenames that would escape the selected extraction directory during HMEF/TNEF attachment extraction.

Previously, attachment filenames from TNEF metadata were written directly using:

new File(dir, filename)

This allowed traversal-style filenames such as ../escaped.txt to resolve outside the intended extraction directory.

Changes

  • normalize and validate resolved attachment output paths before writing files
  • reject attachment filenames that resolve outside the chosen extraction directory
  • add regression coverage for traversal-style attachment names

Test

Added a regression test that:

  • creates an in-memory malicious TNEF attachment using a traversal filename
  • verifies extraction throws IOException
  • verifies no file is created outside the extraction directory

pjfanning
pjfanning reviewed May 12, 2026
View reviewed changes
Comment thread poi-scratchpad/src/main/java/org/apache/poi/hmef/extractor/HMEFContentsExtractor.java Outdated
private static File getOutputFile(File dir, String filename) throws IOException {
Path outputDir = dir.toPath().toAbsolutePath().normalize();
Path outputFile = outputDir.resolve(filename).normalize();
if (!outputFile.startsWith(outputDir)) {
Copy link
Copy Markdown
Member

@pjfanning pjfanning May 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you have a look at

poi/poi/src/main/java/org/apache/poi/util/IOUtils.java

Line 622 in 145ca46

* There is a check to prevent path traversal attacks. Only path traversal
and adjust that to have a shared method to do this check? Code reuse is important.

Copy link
Copy Markdown
Contributor Author

@jmestwa-coder jmestwa-coder May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the suggestion. Updated the patch to reuse IOUtils.newFile(...) for the extraction path validation.

@jmestwa-coder jmestwa-coder force-pushed the hmef-attachment-path-traversal branch from b6ab0ea to 55c2040 Compare May 15, 2026 18:54
@jmestwa-coder jmestwa-coder force-pushed the hmef-attachment-path-traversal branch from 55c2040 to 0f07f6f Compare May 15, 2026 18:54
pjfanning
pjfanning approved these changes May 15, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@pjfanning pjfanning left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@pjfanning pjfanning merged commit d43c238 into apache:trunk May 15, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pjfanning pjfanning pjfanning approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jmestwa-coder @pjfanning