diff --git a/interfaces/inner_api/file_access/include/file_access_helper.h b/interfaces/inner_api/file_access/include/file_access_helper.h index 118bbaf196b4bd5989c0d02e9fa65607a78dfaf4..2731c05d3cc8035a96a23bcad83477c1535d790a 100644 --- a/interfaces/inner_api/file_access/include/file_access_helper.h +++ b/interfaces/inner_api/file_access/include/file_access_helper.h @@ -66,6 +66,7 @@ public: Creator(const std::shared_ptr &context, const std::vector &wants); static std::shared_ptr Creator(const sptr &token, const std::vector &wants); + static bool IsFilePathValid(const std::string &filePath); bool Release(); int Access(Uri &uri, bool &isExist); diff --git a/interfaces/inner_api/file_access/src/file_access_helper.cpp b/interfaces/inner_api/file_access/src/file_access_helper.cpp index 49b650085dc60b8096d0fc31ae300c74404a4155..73ab30c63ca90eb1643f82167efb2175d5fb9d0d 100644 --- a/interfaces/inner_api/file_access/src/file_access_helper.cpp +++ b/interfaces/inner_api/file_access/src/file_access_helper.cpp @@ -47,6 +47,30 @@ sptr g_sourceExtProxy; sptr g_destExtProxy; std::vector deviceUris(DEVICE_ROOTS.begin(), DEVICE_ROOTS.end()); +static const std::string PATH_INVALID_FLAG1 = "../"; +static const std::string PATH_INVALID_FLAG2 = "/.."; +static const uint32_t PATH_INVALID_FLAG_LEN = 3; +static const char FILE_SEPARATOR_CHAR = '/'; + +bool FileAccessHelper::IsFilePathValid(const std::string &filePath) +{ + size_t pos = filePath.find(PATH_INVALID_FLAG1); + while (pos != string::npos) { + if (pos == 0 || filePath[pos - 1] == FILE_SEPARATOR_CHAR) { + HILOG_ERROR("Relative path is not allowed, path contain ../, path = %{private}s", + filePath.c_str()); + return false; + } + pos = filePath.find(PATH_INVALID_FLAG1, pos + PATH_INVALID_FLAG_LEN); + } + pos = filePath.rfind(PATH_INVALID_FLAG2); + if ((pos != string::npos) && (filePath.size() - pos == PATH_INVALID_FLAG_LEN)) { + HILOG_ERROR("Relative path is not allowed, path tail is /.., path = %{private}s", + filePath.c_str()); + return false; + } + return true; +} static int GetUserId() { @@ -90,6 +114,10 @@ static bool CheckUri(Uri &uri) HILOG_ERROR("Uri scheme error."); return false; } + if (!FileAccessHelper::IsFilePathValid(uri.ToString().c_str())) { + HILOG_ERROR("Uri is invalid."); + return false; + } return true; } diff --git a/interfaces/kits/picker/picker.js b/interfaces/kits/picker/picker.js index aa65e6d33b163e8f63c7fee8a38015cb59b89dcc..9acacc4d459308662531f8c2dcfaf5f7f4a9eaf5 100644 --- a/interfaces/kits/picker/picker.js +++ b/interfaces/kits/picker/picker.js @@ -587,8 +587,10 @@ async function sendResult(args, result) { return undefined; } if (args.length === ARGS_TWO && typeof args[ARGS_ONE] === 'function') { + console.log('[picker] sendresult is callback.'); return args[ARGS_ONE](result.error, result.data); } else if (args.length === ARGS_ONE && typeof args[ARGS_ZERO] === 'function') { + console.log('[picker] sendresult is callback without options'); return args[ARGS_ZERO](result.error, result.data); } return new Promise((resolve, reject) => { diff --git a/test/unittest/abnormal_file_access_test.cpp b/test/unittest/abnormal_file_access_test.cpp index c8f89596e9724e179b947040352bf34edfca22e5..d03c1f84503c5554affb20542949a64fa0e18401 100755 --- a/test/unittest/abnormal_file_access_test.cpp +++ b/test/unittest/abnormal_file_access_test.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2022-2024 Huawei Device Co., Ltd. + * Copyright (c) 2022-2025 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -493,4 +493,47 @@ HWTEST_F(AbnormalFileExtensionHelperTest, abnormal_external_file_access_GetFileI GTEST_LOG_(INFO) << "AbnormalFileExtensionHelperTest-end" "abnormal_external_file_access_GetFileInfoFromRelativePath_0000"; } + +/** + * @tc.number: user_file_service_external_file_access_IsFilePathValid_0000 + * @tc.name: abnormal_external_file_access_IsFilePathValid_0000 + * @tc.desc: Test function of IsFilePathValid interface for ERROR because of invalid uri. + * @tc.size: MEDIUM + * @tc.type: FUNC + * @tc.level Level 1 + * @tc.require: I76YA0 + */ +HWTEST_F(AbnormalFileExtensionHelperTest, abnormal_external_file_access_IsFilePathValid_0000, + testing::ext::TestSize.Level1) +{ + GTEST_LOG_(INFO) << "IsFilePathValid0000 Start"; + try { + bool isValid = FileAccessHelper::IsFilePathValid("../test../test1"); + EXPECT_FALSE(isValid); + isValid = FileAccessHelper::IsFilePathValid("/../test../test1"); + EXPECT_FALSE(isValid); + isValid = FileAccessHelper::IsFilePathValid("test../../test"); + EXPECT_FALSE(isValid); + isValid = FileAccessHelper::IsFilePathValid("test../../"); + EXPECT_FALSE(isValid); + isValid = FileAccessHelper::IsFilePathValid("test../test../.."); + EXPECT_FALSE(isValid); + isValid = FileAccessHelper::IsFilePathValid("/test/..test/.."); + EXPECT_FALSE(isValid); + + isValid = FileAccessHelper::IsFilePathValid("test"); + EXPECT_TRUE(isValid); + isValid = FileAccessHelper::IsFilePathValid("/test/test../test"); + EXPECT_TRUE(isValid); + isValid = FileAccessHelper::IsFilePathValid("/test../test../test"); + EXPECT_TRUE(isValid); + isValid = FileAccessHelper::IsFilePathValid("/test../test../test../"); + EXPECT_TRUE(isValid); + isValid = FileAccessHelper::IsFilePathValid("/test../test../test../..test"); + EXPECT_TRUE(isValid); + } catch (...) { + GTEST_LOG_(INFO) << " IsFilePathValid0000 ERROR"; + } + GTEST_LOG_(INFO) << "IsFilePathValid00 End"; +} } // namespace diff --git a/test/unittest/external_file_access_test_basic.cpp b/test/unittest/external_file_access_test_basic.cpp index ec6636f03da61a553edb2c1d19b69a3fb81908ed..8ff265d95c452ebd7b5f4fe4e9c63461f87a0831 100644 --- a/test/unittest/external_file_access_test_basic.cpp +++ b/test/unittest/external_file_access_test_basic.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2024 Huawei Device Co., Ltd. + * Copyright (c) 2024-2025 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -1483,6 +1483,47 @@ HWTEST_F(FileExtensionHelperTest, external_file_access_Move_0016, testing::ext:: GTEST_LOG_(INFO) << "FileExtensionHelperTest-end external_file_access_Move_0016"; } + +/** + * @tc.number: user_file_service_external_file_access_Move_0017 + * @tc.name: external_file_access_Move_0017 + * @tc.desc: Test function of Move uri is invalid . + * @tc.size: MEDIUM + * @tc.type: FUNC + * @tc.level Level 1 + * @tc.require: SR000H0387 + */ +HWTEST_F(FileExtensionHelperTest, external_file_access_Move_0017, testing::ext::TestSize.Level1) +{ + GTEST_LOG_(INFO) << "FileExtensionHelperTest-begin external_file_access_Move_0017"; + try { + shared_ptr fileAccessHelper = FileExtensionHelperTest::GetFileAccessHelper(); + EXPECT_NE(fileAccessHelper, nullptr); + vector info; + int result = fileAccessHelper->GetRoots(info); + EXPECT_EQ(result, OHOS::FileAccessFwk::ERR_OK); + for (size_t i = 0; i < info.size(); i++) { + Uri parentUri(info[i].uri); + Uri invalidUri("file://docs/storage/currentUser/../Download"); + Uri newDirUriTest1(""); + result = fileAccessHelper->Mkdir(parentUri, "test1", newDirUriTest1); + EXPECT_EQ(result, OHOS::FileAccessFwk::ERR_OK); + Uri testUri(""); + result = fileAccessHelper->CreateFile(newDirUriTest1, "test.txt", testUri); + EXPECT_EQ(result, OHOS::FileAccessFwk::ERR_OK); + Uri testUri2(""); + result = fileAccessHelper->Move(testUri, invalidUri, testUri2); + EXPECT_NE(result, OHOS::FileAccessFwk::ERR_OK); + GTEST_LOG_(INFO) << "Move_0017 result:" << result; + result = fileAccessHelper->Delete(newDirUriTest1); + EXPECT_EQ(result, OHOS::FileAccessFwk::ERR_OK); + } + } catch (...) { + GTEST_LOG_(ERROR) << "external_file_access_Move_0017 occurs an exception."; + } + GTEST_LOG_(INFO) << "FileExtensionHelperTest-end external_file_access_Move_0017"; +} + /** * @tc.number: user_file_service_external_file_access_creator_0000 * @tc.name: external_file_access_creator_0000