diff --git a/services/distributeddataservice/framework/include/utils/constant.h b/services/distributeddataservice/framework/include/utils/constant.h index 48aaf1547b6bfe6012bbf89f830a391b1ca9599f..cb51ea97db6e7047f49509c2372866e2da9308aa 100644 --- a/services/distributeddataservice/framework/include/utils/constant.h +++ b/services/distributeddataservice/framework/include/utils/constant.h @@ -83,6 +83,7 @@ public: template static T TrimCopy(T s); + API_EXPORT static bool IsValidPath(const std::string ¶m); API_EXPORT static constexpr const char *KEY_SEPARATOR = "###"; private: diff --git a/services/distributeddataservice/framework/test/constant_test.cpp b/services/distributeddataservice/framework/test/constant_test.cpp index 0defc6ccc9fe8073569baa2831ccbb407656c43e..335249efd6f23b472ddf7720f34aa85501c29eb1 100644 --- a/services/distributeddataservice/framework/test/constant_test.cpp +++ b/services/distributeddataservice/framework/test/constant_test.cpp @@ -170,3 +170,29 @@ HWTEST_F(ConstantTest, SplitStringLongDelimTest, TestSize.Level1) EXPECT_EQ(tokens[0], "abc"); EXPECT_EQ(tokens[1], "&123"); } + +/** + * @tc.name: IsValidField001 + * @tc.desc: IsValidField function test. + * @tc.type: FUNC + */ +HWTEST_F(ConstantTest, IsValidField001, TestSize.Level0) +{ + EXPECT_TRUE(Constant::IsValidPath("validpath")); + EXPECT_TRUE(Constant::IsValidPath("another_valid_path")); + EXPECT_TRUE(Constant::IsValidPath("/file123")); + EXPECT_TRUE(Constant::IsValidPath("/file123../aaa")); +} + +/** + * @tc.name: IsValidField002 + * @tc.desc: IsValidField function test. + * @tc.type: FUNC + */ +HWTEST_F(ConstantTest, IsValidField002, TestSize.Level0) +{ + EXPECT_FALSE(Constant::IsValidPath("../starting/slash")); + EXPECT_FALSE(Constant::IsValidPath("ending/../slash/")); + EXPECT_FALSE(Constant::IsValidPath("../../")); + EXPECT_FALSE(Constant::IsValidPath("path/with\\mixed/slashes/..")); +} diff --git a/services/distributeddataservice/framework/utils/constant.cpp b/services/distributeddataservice/framework/utils/constant.cpp index f0b40f544ef88b25e23c66a4db758a5dbe1930a3..cdf9ede9d3d24917622a624f21c1e3e9543aad92 100644 --- a/services/distributeddataservice/framework/utils/constant.cpp +++ b/services/distributeddataservice/framework/utils/constant.cpp @@ -20,6 +20,11 @@ namespace OHOS { namespace DistributedData { constexpr const char *Constant::KEY_SEPARATOR; +static const std::string PATH_INVALID_FLAG_LEADING = "../"; +static const std::string PATH_INVALID_FLAG_TRAILING = "/.."; +static const uint32_t PATH_INVALID_FLAG_LEN = 3; +static const char FILE_SEPARATOR_CHAR = '/'; + std::string Constant::Concatenate(std::initializer_list stringList) { std::string result; @@ -92,5 +97,21 @@ bool Constant::DCopy(uint8_t *tag, size_t tagLen, const uint8_t *src, size_t src auto ret = memcpy_s(tag, tagLen, src, srcLen); return ret == EOK; } + +bool Constant::IsValidPath(const std::string ¶m) +{ + size_t pos = param.find(PATH_INVALID_FLAG_LEADING); + while (pos != std::string::npos) { + if (pos == 0 || param[pos - 1] == FILE_SEPARATOR_CHAR) { + return false; + } + pos = param.find(PATH_INVALID_FLAG_LEADING, pos + PATH_INVALID_FLAG_LEN); + } + pos = param.rfind(PATH_INVALID_FLAG_TRAILING); + if ((pos != std::string::npos) && (param.size() - pos == PATH_INVALID_FLAG_LEN)) { + return false; + } + return true; +} } // namespace DistributedData } // namespace OHOS diff --git a/services/distributeddataservice/service/kvdb/kvdb_general_store.cpp b/services/distributeddataservice/service/kvdb/kvdb_general_store.cpp index f18d59547fa5cbb3b8d3605abf5c8d9c1dba174c..39853c5a0894efec55083d24a16b8ad5f8346701 100644 --- a/services/distributeddataservice/service/kvdb/kvdb_general_store.cpp +++ b/services/distributeddataservice/service/kvdb/kvdb_general_store.cpp @@ -40,6 +40,7 @@ #include "types.h" #include "user_delegate.h" #include "utils/anonymous.h" +#include "utils/constant.h" namespace OHOS::DistributedKv { using namespace DistributedData; @@ -176,6 +177,10 @@ KVDBGeneralStore::KVDBGeneralStore(const StoreMetaData &meta) MetaDataManager::GetInstance().LoadMeta(meta.GetKeyLocal(), local, true); isPublic_ = local.isPublic; DBStatus status = DBStatus::NOT_FOUND; + if (!Constant::IsValidPath(meta.dataDir)) { + ZLOGE("path is invalid. dataDir is %{public}s", Anonymous::Change(meta.dataDir).c_str()); + return; + } manager_.SetKvStoreConfig({ meta.dataDir }); std::unique_lock lock(rwMutex_); manager_.GetKvStore(