From 857b946689179ca9a93301e4a026aa5fed852e4e Mon Sep 17 00:00:00 2001 From: zhouoaoteng Date: Thu, 3 Apr 2025 11:38:59 +0800 Subject: [PATCH] add uri check Signed-off-by: zhouoaoteng --- .../file_access/include/file_access_helper.h | 1 + .../file_access/src/file_access_helper.cpp | 28 ++++++++++++ interfaces/kits/picker/picker.js | 2 + test/unittest/abnormal_file_access_test.cpp | 45 ++++++++++++++++++- .../external_file_access_test_basic.cpp | 43 +++++++++++++++++- 5 files changed, 117 insertions(+), 2 deletions(-) diff --git a/interfaces/inner_api/file_access/include/file_access_helper.h b/interfaces/inner_api/file_access/include/file_access_helper.h index 118bbaf1..2731c05d 100644 --- a/interfaces/inner_api/file_access/include/file_access_helper.h +++ b/interfaces/inner_api/file_access/include/file_access_helper.h @@ -66,6 +66,7 @@ public: Creator(const std::shared_ptr &context, const std::vector &wants); static std::shared_ptr Creator(const sptr &token, const std::vector &wants); + static bool IsFilePathValid(const std::string &filePath); bool Release(); int Access(Uri &uri, bool &isExist); diff --git a/interfaces/inner_api/file_access/src/file_access_helper.cpp b/interfaces/inner_api/file_access/src/file_access_helper.cpp index 49b65008..73ab30c6 100644 --- a/interfaces/inner_api/file_access/src/file_access_helper.cpp +++ b/interfaces/inner_api/file_access/src/file_access_helper.cpp @@ -47,6 +47,30 @@ sptr g_sourceExtProxy; sptr g_destExtProxy; std::vector deviceUris(DEVICE_ROOTS.begin(), DEVICE_ROOTS.end()); +static const std::string PATH_INVALID_FLAG1 = "../"; +static const std::string PATH_INVALID_FLAG2 = "/.."; +static const uint32_t PATH_INVALID_FLAG_LEN = 3; +static const char FILE_SEPARATOR_CHAR = '/'; + +bool FileAccessHelper::IsFilePathValid(const std::string &filePath) +{ + size_t pos = filePath.find(PATH_INVALID_FLAG1); + while (pos != string::npos) { + if (pos == 0 || filePath[pos - 1] == FILE_SEPARATOR_CHAR) { + HILOG_ERROR("Relative path is not allowed, path contain ../, path = %{private}s", + filePath.c_str()); + return false; + } + pos = filePath.find(PATH_INVALID_FLAG1, pos + PATH_INVALID_FLAG_LEN); + } + pos = filePath.rfind(PATH_INVALID_FLAG2); + if ((pos != string::npos) && (filePath.size() - pos == PATH_INVALID_FLAG_LEN)) { + HILOG_ERROR("Relative path is not allowed, path tail is /.., path = %{private}s", + filePath.c_str()); + return false; + } + return true; +} static int GetUserId() { @@ -90,6 +114,10 @@ static bool CheckUri(Uri &uri) HILOG_ERROR("Uri scheme error."); return false; } + if (!FileAccessHelper::IsFilePathValid(uri.ToString().c_str())) { + HILOG_ERROR("Uri is invalid."); + return false; + } return true; } diff --git a/interfaces/kits/picker/picker.js b/interfaces/kits/picker/picker.js index aa65e6d3..9acacc4d 100644 --- a/interfaces/kits/picker/picker.js +++ b/interfaces/kits/picker/picker.js @@ -587,8 +587,10 @@ async function sendResult(args, result) { return undefined; } if (args.length === ARGS_TWO && typeof args[ARGS_ONE] === 'function') { + console.log('[picker] sendresult is callback.'); return args[ARGS_ONE](result.error, result.data); } else if (args.length === ARGS_ONE && typeof args[ARGS_ZERO] === 'function') { + console.log('[picker] sendresult is callback without options'); return args[ARGS_ZERO](result.error, result.data); } return new Promise((resolve, reject) => { diff --git a/test/unittest/abnormal_file_access_test.cpp b/test/unittest/abnormal_file_access_test.cpp index c8f89596..d03c1f84 100755 --- a/test/unittest/abnormal_file_access_test.cpp +++ b/test/unittest/abnormal_file_access_test.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2022-2024 Huawei Device Co., Ltd. + * Copyright (c) 2022-2025 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -493,4 +493,47 @@ HWTEST_F(AbnormalFileExtensionHelperTest, abnormal_external_file_access_GetFileI GTEST_LOG_(INFO) << "AbnormalFileExtensionHelperTest-end" "abnormal_external_file_access_GetFileInfoFromRelativePath_0000"; } + +/** + * @tc.number: user_file_service_external_file_access_IsFilePathValid_0000 + * @tc.name: abnormal_external_file_access_IsFilePathValid_0000 + * @tc.desc: Test function of IsFilePathValid interface for ERROR because of invalid uri. + * @tc.size: MEDIUM + * @tc.type: FUNC + * @tc.level Level 1 + * @tc.require: I76YA0 + */ +HWTEST_F(AbnormalFileExtensionHelperTest, abnormal_external_file_access_IsFilePathValid_0000, + testing::ext::TestSize.Level1) +{ + GTEST_LOG_(INFO) << "IsFilePathValid0000 Start"; + try { + bool isValid = FileAccessHelper::IsFilePathValid("../test../test1"); + EXPECT_FALSE(isValid); + isValid = FileAccessHelper::IsFilePathValid("/../test../test1"); + EXPECT_FALSE(isValid); + isValid = FileAccessHelper::IsFilePathValid("test../../test"); + EXPECT_FALSE(isValid); + isValid = FileAccessHelper::IsFilePathValid("test../../"); + EXPECT_FALSE(isValid); + isValid = FileAccessHelper::IsFilePathValid("test../test../.."); + EXPECT_FALSE(isValid); + isValid = FileAccessHelper::IsFilePathValid("/test/..test/.."); + EXPECT_FALSE(isValid); + + isValid = FileAccessHelper::IsFilePathValid("test"); + EXPECT_TRUE(isValid); + isValid = FileAccessHelper::IsFilePathValid("/test/test../test"); + EXPECT_TRUE(isValid); + isValid = FileAccessHelper::IsFilePathValid("/test../test../test"); + EXPECT_TRUE(isValid); + isValid = FileAccessHelper::IsFilePathValid("/test../test../test../"); + EXPECT_TRUE(isValid); + isValid = FileAccessHelper::IsFilePathValid("/test../test../test../..test"); + EXPECT_TRUE(isValid); + } catch (...) { + GTEST_LOG_(INFO) << " IsFilePathValid0000 ERROR"; + } + GTEST_LOG_(INFO) << "IsFilePathValid00 End"; +} } // namespace diff --git a/test/unittest/external_file_access_test_basic.cpp b/test/unittest/external_file_access_test_basic.cpp index ec6636f0..8ff265d9 100644 --- a/test/unittest/external_file_access_test_basic.cpp +++ b/test/unittest/external_file_access_test_basic.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2024 Huawei Device Co., Ltd. + * Copyright (c) 2024-2025 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -1483,6 +1483,47 @@ HWTEST_F(FileExtensionHelperTest, external_file_access_Move_0016, testing::ext:: GTEST_LOG_(INFO) << "FileExtensionHelperTest-end external_file_access_Move_0016"; } + +/** + * @tc.number: user_file_service_external_file_access_Move_0017 + * @tc.name: external_file_access_Move_0017 + * @tc.desc: Test function of Move uri is invalid . + * @tc.size: MEDIUM + * @tc.type: FUNC + * @tc.level Level 1 + * @tc.require: SR000H0387 + */ +HWTEST_F(FileExtensionHelperTest, external_file_access_Move_0017, testing::ext::TestSize.Level1) +{ + GTEST_LOG_(INFO) << "FileExtensionHelperTest-begin external_file_access_Move_0017"; + try { + shared_ptr fileAccessHelper = FileExtensionHelperTest::GetFileAccessHelper(); + EXPECT_NE(fileAccessHelper, nullptr); + vector info; + int result = fileAccessHelper->GetRoots(info); + EXPECT_EQ(result, OHOS::FileAccessFwk::ERR_OK); + for (size_t i = 0; i < info.size(); i++) { + Uri parentUri(info[i].uri); + Uri invalidUri("file://docs/storage/currentUser/../Download"); + Uri newDirUriTest1(""); + result = fileAccessHelper->Mkdir(parentUri, "test1", newDirUriTest1); + EXPECT_EQ(result, OHOS::FileAccessFwk::ERR_OK); + Uri testUri(""); + result = fileAccessHelper->CreateFile(newDirUriTest1, "test.txt", testUri); + EXPECT_EQ(result, OHOS::FileAccessFwk::ERR_OK); + Uri testUri2(""); + result = fileAccessHelper->Move(testUri, invalidUri, testUri2); + EXPECT_NE(result, OHOS::FileAccessFwk::ERR_OK); + GTEST_LOG_(INFO) << "Move_0017 result:" << result; + result = fileAccessHelper->Delete(newDirUriTest1); + EXPECT_EQ(result, OHOS::FileAccessFwk::ERR_OK); + } + } catch (...) { + GTEST_LOG_(ERROR) << "external_file_access_Move_0017 occurs an exception."; + } + GTEST_LOG_(INFO) << "FileExtensionHelperTest-end external_file_access_Move_0017"; +} + /** * @tc.number: user_file_service_external_file_access_creator_0000 * @tc.name: external_file_access_creator_0000 -- Gitee