#12142 Reject path traversal in imported binary references (#12141)

Co-authored-by: Claude <noreply@anthropic.com>

Author: rymsha

modules/core/core-export/src/main/java/com/enonic/xp/core/impl/export/NodeImporter.java

@@ -16,6 +16,7 @@
 import com.enonic.xp.core.impl.export.xml.XmlException;
 import com.enonic.xp.core.impl.export.xml.XmlNodeParser;
 import com.enonic.xp.core.impl.export.xml.XsltTransformer;
+import com.enonic.xp.core.internal.FileNames;
 import com.enonic.xp.data.Property;
 import com.enonic.xp.data.PropertyTree;
 import com.enonic.xp.data.ValueTypes;
@@ -361,6 +362,12 @@ private void addBinary( final VirtualFile nodeFile, final BinaryAttachments.Buil
     private VirtualFile tryFindBinaryFile( final VirtualFile nodeFile, final BinaryReference binaryReference )
     {
         final String binaryReferenceAsString = binaryReference.toString();
+
+        if ( !FileNames.isSafeFileName( Normalizer.normalize( binaryReferenceAsString, Normalizer.Form.NFC ) ) )
+        {
+            throw new ImportNodeException( "Invalid binary reference: " + binaryReferenceAsString );
+        }
+
         final VirtualFile binaryOriginal =
             nodeFile.resolve( nodeFile.getPath().join( SYSTEM_FOLDER_NAME, BINARY_FOLDER, binaryReferenceAsString ) );
 

modules/itest/itest-core/src/test/java/com/enonic/xp/core/export/NodeImporterIntegrationTest.java

@@ -389,6 +389,27 @@ void import_with_binary()
         assertNotNull( attachedBinary.getBlobKey() );
     }
 
+    @Test
+    void import_with_binary_path_traversal_rejected()
+        throws Exception
+    {
+        final Path file = Files.createDirectories(
+            resolveInTemporaryFolder( "myExport", "mynode" ).resolve( NodeExportPathResolver.SYSTEM_FOLDER_NAME ) ).resolve(
+            NodeExportPathResolver.NODE_XML_EXPORT_NAME );
+        copyFormResource( "node_with_traversal_binary.xml", file );
+
+        final NodeImportResult result = NodeImporter.create().
+            nodeService( this.nodeService ).
+            targetNodePath( NodePath.ROOT ).
+            sourceDirectory( VirtualFiles.from( temporaryFolder.resolve( "myExport" ) ) ).
+            build().
+            execute();
+
+        assertNull( nodeService.getByPath( new NodePath( "/mynode" ) ) );
+        assertTrue( result.getImportErrors().stream()
+                        .anyMatch( error -> error.getException().contains( "Invalid binary reference" ) ) );
+    }
+
     @Test
     void import_special_characters()
         throws Exception

modules/itest/itest-core/src/test/resources/com/enonic/xp/core/export/node_with_traversal_binary.xml

@@ -0,0 +1,19 @@
+<node>
+  <childOrder>_name DESC</childOrder>
+  <nodeType>content</nodeType>
+  <permissions/>
+  <data>
+    <string name="myString">myStringValue</string>
+    <binaryReference name="myImage">../../../../../../../../etc/passwd</binaryReference>
+  </data>
+  <indexConfigs>
+    <defaultConfig>
+      <decideByType>false</decideByType>
+      <enabled>true</enabled>
+      <nGram>true</nGram>
+      <fulltext>true</fulltext>
+      <includeInAllText>true</includeInAllText>
+    </defaultConfig>
+    <pathIndexConfigs/>
+  </indexConfigs>
+</node>