fix(security): block critical CWE-22 path traversal in file uploads

Mitigate unauthenticated arbitrary file write / potential RCE vector in upload flows.

- enforce normalized path resolution and storage-boundary checks before file writes

- reject traversal attempts and invalid path input with HTTP 400

- decouple logical filename from physical storage via UUID-based keys

- preserve original client filename as metadata and expose it in download headers

- add malicious-payload regression tests for service and repository HTTP APIs

- replay PoC payloads and verify no marker file is created outside storage boundary

Author: aaronzi

basyx.common/basyx.filerepository-backend-inmemory/src/main/java/org/eclipse/digitaltwin/basyx/core/filerepository/InMemoryFileRepository.java

@@ -32,7 +32,10 @@
 import java.io.InputStream;
 import java.nio.file.Files;
 import java.nio.file.InvalidPathException;
+import java.nio.file.Path;
 import java.nio.file.Paths;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
 
 import org.apache.commons.io.IOUtils;
 import org.eclipse.digitaltwin.basyx.core.exceptions.FileDoesNotExistException;
@@ -50,13 +53,18 @@
 public class InMemoryFileRepository implements FileRepository {
 
 	private static final String TEMP_DIRECTORY_PREFIX = "basyx-temp";
-	private String tmpDirectory = getTemporaryDirectoryPath();
+	private final Path tmpDirectoryPath = Paths.get(getTemporaryDirectoryPath()).toAbsolutePath().normalize();
+	private final Map<String, String> originalFileNames = new ConcurrentHashMap<>();
 
 	@Override
 	public String save(FileMetadata fileMetadata) throws FileHandlingException {
-		String filePath = createFilePath(fileMetadata.getFileName());
+		Path targetPath = createFilePath(fileMetadata.getFileName());
+		String filePath = targetPath.toString();
 
-		java.io.File targetFile = new java.io.File(filePath);
+		if (Files.exists(targetPath))
+			throw new FileHandlingException("File '%s' already exists.".formatted(filePath));
+
+		java.io.File targetFile = targetPath.toFile();
 
 		try (FileOutputStream outStream = new FileOutputStream(targetFile)) {
 			IOUtils.copy(fileMetadata.getFileContent(), outStream);
@@ -65,50 +73,82 @@ public String save(FileMetadata fileMetadata) throws FileHandlingException {
 		}
 
 		fileMetadata.setFileName(filePath);
+		String originalFileName = fileMetadata.getOriginalFileName();
+
+		if (originalFileName == null || originalFileName.isBlank())
+			originalFileName = targetPath.getFileName().toString();
+
+		originalFileNames.put(filePath, originalFileName);
 
 		return filePath;
 	}
 
 	@Override
 	public InputStream find(String fileId) throws FileDoesNotExistException {
+		Path filePath;
 
 		try {
-			return new FileInputStream(fileId);
+			filePath = resolveStoredFilePath(fileId);
+		} catch (IllegalArgumentException | SecurityException e) {
+			throw new FileDoesNotExistException();
+		}
+
+		try {
+			return new FileInputStream(filePath.toFile());
 		} catch (FileNotFoundException e) {
 			throw new FileDoesNotExistException();
 		}
 	}
 
 	@Override
 	public void delete(String fileId) throws FileDoesNotExistException {
+		Path filePath;
 
-		if (!exists(fileId))
+		try {
+			filePath = resolveStoredFilePath(fileId);
+		} catch (IllegalArgumentException | SecurityException e) {
 			throw new FileDoesNotExistException();
+		}
 
-		java.io.File tmpFile = new java.io.File(fileId);
+		if (!Files.exists(filePath))
+			throw new FileDoesNotExistException();
+
+		java.io.File tmpFile = filePath.toFile();
 
 		tmpFile.delete();
+		originalFileNames.remove(filePath.toString());
 	}
 
 	@Override
 	public boolean exists(String fileId) {
 		if(fileId == null) return false;
 
-		if (fileId.isBlank() || !isFilePathValid(fileId))
+		if (fileId.isBlank())
+			return false;
+
+		Path filePath;
+
+		try {
+			filePath = resolveStoredFilePath(fileId);
+		} catch (IllegalArgumentException | SecurityException e) {
 			return false;
+		}
 
-		return Files.exists(Paths.get(fileId));
+		return Files.exists(filePath);
 	}
 
-	private boolean isFilePathValid(String filePath) {
+	@Override
+	public String getOriginalFileName(String fileId) {
+		Path filePath;
 
 		try {
-			Paths.get(filePath);
-		} catch (InvalidPathException | NullPointerException ex) {
-			return false;
+			filePath = resolveStoredFilePath(fileId);
+		} catch (IllegalArgumentException | SecurityException e) {
+			return fileId;
 		}
 
-		return true;
+		String key = filePath.toString();
+		return originalFileNames.getOrDefault(key, filePath.getFileName().toString());
 	}
 
 	private String getTemporaryDirectoryPath() {
@@ -123,8 +163,42 @@ private String getTemporaryDirectoryPath() {
 		return tempDirectoryPath;
 	}
 
-	private String createFilePath(String fileName) {
-		return tmpDirectory + "/" + fileName;
+	private Path createFilePath(String fileName) {
+		if (fileName == null || fileName.isBlank())
+			throw new IllegalArgumentException("File name must not be null or blank.");
+
+		Path resolvedPath;
+
+		try {
+			resolvedPath = tmpDirectoryPath.resolve(fileName).normalize();
+		} catch (InvalidPathException e) {
+			throw new IllegalArgumentException("Invalid file name '%s'.".formatted(fileName), e);
+		}
+
+		if (!resolvedPath.startsWith(tmpDirectoryPath))
+			throw new SecurityException("Path traversal attempt detected.");
+
+		return resolvedPath;
+	}
+
+	private Path resolveStoredFilePath(String fileId) {
+		Path filePath;
+
+		try {
+			filePath = Paths.get(fileId);
+		} catch (InvalidPathException e) {
+			throw new IllegalArgumentException("Invalid file id '%s'.".formatted(fileId), e);
+		}
+
+		if (!filePath.isAbsolute())
+			filePath = tmpDirectoryPath.resolve(filePath);
+
+		filePath = filePath.normalize();
+
+		if (!filePath.startsWith(tmpDirectoryPath))
+			throw new SecurityException("Path traversal attempt detected.");
+
+		return filePath;
 	}
 
 }

basyx.common/basyx.filerepository-backend-inmemory/src/test/java/org/eclipse/digitaltwin/basyx/core/filerepository/TestInMemoryFileRepository.java

@@ -24,7 +24,11 @@
  ******************************************************************************/
 package org.eclipse.digitaltwin.basyx.core.filerepository;
 
+import java.io.ByteArrayInputStream;
+import java.nio.file.Paths;
+
 import org.eclipse.digitaltwin.basyx.core.filerepository.backend.FileRepositoryTestSuite;
+import org.junit.Test;
 
 /**
  * Integration Test for InMemoryFileRepository
@@ -38,4 +42,21 @@ public class TestInMemoryFileRepository extends FileRepositoryTestSuite{
 	protected FileRepository getFileRepository() {
 		return new InMemoryFileRepository();
 	}
+
+	@Test(expected = SecurityException.class)
+	public void saveFileRejectsPathTraversal() {
+		FileRepository fileRepository = getFileRepository();
+		FileMetadata metadata = new FileMetadata("../../../../tmp/basyx-pwned.txt", "text/plain", new ByteArrayInputStream("test".getBytes()));
+
+		fileRepository.save(metadata);
+	}
+
+	@Test(expected = SecurityException.class)
+	public void saveFileRejectsAbsolutePath() {
+		FileRepository fileRepository = getFileRepository();
+		String absolutePath = Paths.get(System.getProperty("java.io.tmpdir"), "basyx-pwned.txt").toString();
+		FileMetadata metadata = new FileMetadata(absolutePath, "text/plain", new ByteArrayInputStream("test".getBytes()));
+
+		fileRepository.save(metadata);
+	}
 }

basyx.common/basyx.filerepository-backend-mongodb/src/main/java/org/eclipse/digitaltwin/basyx/core/filerepository/MongoDBFileRepository.java

@@ -37,6 +37,7 @@
 import org.springframework.data.mongodb.core.query.Query;
 import org.springframework.data.mongodb.gridfs.GridFsTemplate;
 import org.springframework.stereotype.Component;
+import org.bson.Document;
 
 import com.mongodb.client.gridfs.model.GridFSFile;
 
@@ -50,6 +51,7 @@
 public class MongoDBFileRepository implements FileRepository {
 
 	private static final String MONGO_FILENAME_FIELD = "filename";
+	private static final String MONGO_METADATA_ORIGINAL_FILENAME_FIELD = "originalFileName";
 
 	private GridFsTemplate gridFsTemplate;
 
@@ -72,7 +74,10 @@ public String save(FileMetadata fileMetadata) throws FileHandlingException {
 		if (exists(fileMetadata.getFileName()))
 			throw new FileHandlingException("File '%s' already exists.".formatted(fileMetadata.getFileName()));
 
-		gridFsTemplate.store(fileMetadata.getFileContent(), fileMetadata.getFileName(), fileMetadata.getContentType());
+		Document metadata = new Document();
+		metadata.put(MONGO_METADATA_ORIGINAL_FILENAME_FIELD, fileMetadata.getOriginalFileName());
+
+		gridFsTemplate.store(fileMetadata.getFileContent(), fileMetadata.getFileName(), fileMetadata.getContentType(), metadata);
 
 		return fileMetadata.getFileName();
 	}
@@ -110,6 +115,21 @@ public boolean exists(String fileName) {
 		return gridFSFile != null;
 	}
 
+	@Override
+	public String getOriginalFileName(String fileId) {
+		GridFSFile file = getFile(fileId);
+
+		if (file == null || file.getMetadata() == null)
+			return fileId;
+
+		String originalFileName = file.getMetadata().getString(MONGO_METADATA_ORIGINAL_FILENAME_FIELD);
+
+		if (originalFileName == null || originalFileName.isBlank())
+			return fileId;
+
+		return originalFileName;
+	}
+
 	private GridFSFile getFile(String mongoDBfileId) {
 		return gridFsTemplate.findOne(new Query(Criteria.where(MONGO_FILENAME_FIELD).is(mongoDBfileId)));
 	}

basyx.common/basyx.filerepository-backend/src/main/java/org/eclipse/digitaltwin/basyx/core/filerepository/FileMetadata.java

@@ -38,12 +38,18 @@
 public class FileMetadata {
 
 	private String fileName;
+	private String originalFileName;
 	private String contentType;
 	private InputStream fileContent;
 
 	public FileMetadata(String fileName, String contentType, InputStream fileContent) {
+		this(fileName, fileName, contentType, fileContent);
+	}
+
+	public FileMetadata(String fileName, String originalFileName, String contentType, InputStream fileContent) {
 		super();
 		this.fileName = fileName;
+		this.originalFileName = originalFileName;
 		this.contentType = contentType;
 		this.fileContent = fileContent;
 	}
@@ -56,6 +62,14 @@ public String getFileName() {
 		return fileName;
 	}
 
+	public void setOriginalFileName(String originalFileName) {
+		this.originalFileName = originalFileName;
+	}
+
+	public String getOriginalFileName() {
+		return originalFileName;
+	}
+
 	public void setContentType(String contentType) {
 		this.contentType = contentType;
 	}

basyx.common/basyx.filerepository-backend/src/main/java/org/eclipse/digitaltwin/basyx/core/filerepository/FileRepository.java

@@ -72,4 +72,14 @@ public interface FileRepository {
 	 */
 	public boolean exists(String fileId);
 
+	/**
+	 * Resolves the original logical filename that should be exposed to clients.
+	 * 
+	 * @param fileId
+	 * @return original filename or a fallback implementation-specific value
+	 */
+	public default String getOriginalFileName(String fileId) {
+		return fileId;
+	}
+
 }

basyx.common/basyx.http/src/main/java/org/eclipse/digitaltwin/basyx/http/BaSyxExceptionHandler.java

@@ -88,6 +88,11 @@ public ResponseEntity<Object> handleCollidingIdentifierException(CollidingAssetL
 	public ResponseEntity<Object> handleIllegalArgumentException(IllegalArgumentException exception) {
 		return buildResponse(exception.getMessage(), HttpStatus.BAD_REQUEST, exception);
 	}
+
+	@ExceptionHandler(SecurityException.class)
+	public ResponseEntity<Object> handleSecurityException(SecurityException exception) {
+		return buildResponse(exception.getMessage(), HttpStatus.BAD_REQUEST, exception);
+	}
 
 	@ExceptionHandler(IdentificationMismatchException.class)
 	public ResponseEntity<Object> handleIdMismatchException(IdentificationMismatchException exception) {

basyx.submodelrepository/basyx.submodelrepository-backend/src/main/java/org/eclipse/digitaltwin/basyx/submodelrepository/backend/CrudSubmodelRepository.java

@@ -207,6 +207,11 @@ public InputStream getFileByFilePath(String submodelId, String filePath) {
 		return getService(submodelId).getFileByFilePath(filePath);
 	}
 
+	@Override
+	public String getOriginalFileNameByPath(String submodelId, String idShortPath) {
+		return getService(submodelId).getOriginalFileNameByPath(idShortPath);
+	}
+
 	private void initializeRemoteCollection(@NonNull Collection<Submodel> submodels) {
 		if (submodels.isEmpty())
 			return;

basyx.submodelrepository/basyx.submodelrepository-core/src/main/java/org/eclipse/digitaltwin/basyx/submodelrepository/SubmodelRepository.java

@@ -297,4 +297,17 @@ public default String getName() {
 	 * @return File InputStream
 	 */
 	public InputStream getFileByFilePath(String submodelId, String filePath);
+
+	/**
+	 * Resolves the original logical filename for a file submodel element.
+	 *
+	 * @param submodelId
+	 *            the Submodel id
+	 * @param idShortPath
+	 *            the IdShort path of the file element
+	 * @return original filename to expose to clients
+	 */
+	public default String getOriginalFileNameByPath(String submodelId, String idShortPath) {
+		return getFileByPathSubmodel(submodelId, idShortPath).getName();
+	}
 }

basyx.submodelrepository/basyx.submodelrepository-http/src/main/java/org/eclipse/digitaltwin/basyx/submodelrepository/http/SubmodelRepositoryApiHTTPController.java

@@ -230,9 +230,10 @@ public ResponseEntity<Submodel> getSubmodelByIdMetadata(Base64UrlEncodedIdentifi
 
 	@Override
 	public ResponseEntity<Resource> getFileByPath(Base64UrlEncodedIdentifier submodelIdentifier, String idShortPath) {
-		Resource resource = new FileSystemResource(repository.getFileByPathSubmodel(submodelIdentifier.getIdentifier(), idShortPath));
+		java.io.File file = repository.getFileByPathSubmodel(submodelIdentifier.getIdentifier(), idShortPath);
+		Resource resource = new FileSystemResource(file);
 
-	    String fileName = resource.getFilename();
+		String fileName = repository.getOriginalFileNameByPath(submodelIdentifier.getIdentifier(), idShortPath);
 
 	    return ResponseEntity.ok()
 	            .header(HttpHeaders.CONTENT_DISPOSITION, "attachment; filename=\"" + fileName + "\"")

basyx.submodelrepository/basyx.submodelrepository-http/src/test/java/org/eclipse/digitaltwin/basyx/submodelrepository/http/SubmodelRepositorySubmodelHTTPTestSuite.java

@@ -339,6 +339,14 @@ public void uploadFileToNotExistElement() throws FileNotFoundException, Unsuppor
 		assertEquals(HttpStatus.NOT_FOUND.value(), submodelElementFileUploadResponse.getCode());
 	}
 
+	@Test
+	public void uploadFileWithPathTraversalFileName() throws IOException {
+		String maliciousFileName = "..%2F..%2F..%2F..%2Ftmp%2Fbasyx-pwned.txt";
+		CloseableHttpResponse submodelElementFileUploadResponse = uploadFileToSubmodelElement(DummySubmodelFactory.SUBMODEL_FOR_FILE_TEST, DummySubmodelFactory.SUBMODEL_ELEMENT_FILE_ID_SHORT, maliciousFileName);
+
+		assertEquals(HttpStatus.BAD_REQUEST.value(), submodelElementFileUploadResponse.getCode());
+	}
+
 	@Test
 	public void deleteFile() throws FileNotFoundException, IOException {
 		uploadFileToSubmodelElement(DummySubmodelFactory.SUBMODEL_FOR_FILE_TEST, DummySubmodelFactory.SUBMODEL_ELEMENT_FILE_ID_SHORT);
@@ -369,7 +377,7 @@ public void deleteFileFromNotExistElement() throws FileNotFoundException, Unsupp
 	@Test
 	public void getFile() throws FileNotFoundException, IOException, ParseException {
 		String fileName = DummySubmodelFactory.FILE_NAME;
-		String expectedFileName = Base64UrlEncodedIdentifier.encodeIdentifier(DummySubmodelFactory.SUBMODEL_FOR_FILE_TEST) + "-" + DummySubmodelFactory.SUBMODEL_ELEMENT_FILE_ID_SHORT + "-" + fileName;
+		String expectedFileName = fileName;
 
 		byte[] expectedFile = readBytesFromClasspath(fileName);
 
@@ -445,11 +453,13 @@ private String createSMEFileGetURL(String submodelId, String submodelElementIdSh
 	}
 
 	private CloseableHttpResponse uploadFileToSubmodelElement(String submodelId, String submodelElementIdShort) throws IOException {
-		CloseableHttpClient client = HttpClients.createDefault();
-
 		String fileName = DummySubmodelFactory.FILE_NAME;
+		return uploadFileToSubmodelElement(submodelId, submodelElementIdShort, fileName);
+	}
 
-		java.io.File file = ResourceUtils.getFile("classpath:" + fileName);
+	private CloseableHttpResponse uploadFileToSubmodelElement(String submodelId, String submodelElementIdShort, String fileName) throws IOException {
+		CloseableHttpClient client = HttpClients.createDefault();
+		java.io.File file = ResourceUtils.getFile("classpath:" + DummySubmodelFactory.FILE_NAME);
 
 		HttpPut putRequest = createPutRequestWithFile(submodelId, submodelElementIdShort, fileName, file);