Mastodawn

Messing for hours with #Java Path api. Safely do:
- given input path, possibly adversarial
- prefix it with a configured outPrefix
- ** make sure the result really points to a file/dir below outPrefix **

Consider a somewhat unluckily configured outPrefix = ".." and an adversarial path "../..". Path.of("../..").startsWith("..") is true. But startsWith() is what AI-coders and even stackoverflow suggest. 😱

FAIL.

https://stackoverflow.com/a/50731050/2954288

#pathTraversal #security #itsecurity #pathTraversalAttac

What's the right way in Java 8 to evaluate if /path/a is a subdirectory of /path?

Pretty much what the title asks. Say I'm passed a Path of "/tmp/foo/bar" and I want to specifically ensure that that path is a subdirectory of a path "/tmp", what is the most "Java 8"ish way of go...

Stack Overflow