Fix path traversal, resource leak, and race condition in module system

pditommaso · claude · pditommaso · commit 85603150cc1c · 2026-03-17T09:51:13.000+01:00
Signed-off-by: Paolo Di Tommaso &lt;paolo.ditommaso@gmail.com&gt;
Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
Signed-off-by: Paolo Di Tommaso &lt;paolo.ditommaso@gmail.com&gt;
diff --git a/modules/nextflow/src/main/groovy/nextflow/cli/module/CmdModuleInstall.groovy b/modules/nextflow/src/main/groovy/nextflow/cli/module/CmdModuleInstall.groovy
@@ -28,6 +28,7 @@ import nextflow.exception.AbortOperationException
 import nextflow.module.ModuleReference
 import nextflow.module.ModuleRegistryClient
 import nextflow.module.ModuleResolver
+import nextflow.module.ModuleSpec
 
 import nextflow.util.TestOnly
 
@@ -85,7 +86,8 @@ class CmdModuleInstall extends CmdBase {
 
         try {
             def installedMainFile = resolver.installModule(reference, version, force)
-            def installedVersion = version ?: resolver.resolveVersion(reference)
+            // Read the installed version from meta.yml to avoid a redundant registry call
+            def installedVersion = ModuleSpec.load(installedMainFile.parent.resolve('meta.yml')).version
 
             println "Module ${reference}@${installedVersion} installed and configured successfully"
         }
diff --git a/modules/nextflow/src/main/groovy/nextflow/module/ModuleSpec.groovy b/modules/nextflow/src/main/groovy/nextflow/module/ModuleSpec.groovy
@@ -54,7 +54,10 @@ class ModuleSpec {
 
         try {
             def yaml = new Yaml()
-            def data = yaml.load(Files.newInputStream(metaYamlPath)) as Map<String, Object>
+            Map<String, Object> data
+            try( def stream = Files.newInputStream(metaYamlPath) ) {
+                data = yaml.load(stream) as Map<String, Object>
+            }
 
             def spec = new ModuleSpec()
             spec.name = data.name as String
diff --git a/modules/nf-lang/src/main/java/nextflow/module/spi/FallbackRemoteModuleResolver.java b/modules/nf-lang/src/main/java/nextflow/module/spi/FallbackRemoteModuleResolver.java
@@ -32,10 +32,15 @@ public class FallbackRemoteModuleResolver implements RemoteModuleResolver {
 
     @Override
     public Path resolve(String moduleName, Path baseDir) {
-        if (!Files.exists(baseDir.resolve(moduleName))) {
-            throw new IllegalStateException("Module '" + moduleName + "' not locally found at 'modules' folder - use 'nextflow install' to download module files");
+        final var resolved = baseDir.resolve(moduleName).normalize();
+        // Prevent path traversal outside the base directory
+        if (!resolved.startsWith(baseDir.normalize())) {
+            throw new IllegalStateException("Invalid module name '" + moduleName + "' - path escapes the modules directory");
         }
-        return baseDir.resolve(moduleName).resolve("main.nf");
+        if (!Files.exists(resolved)) {
+            throw new IllegalStateException("Module '" + moduleName + "' not locally found at 'modules' folder - use 'nextflow module install' to download module files");
+        }
+        return resolved.resolve("main.nf");
     }
 
     @Override
