Reject unsafe archive entry keys at indexing

esnya · esnya · commit fb403c35edad · 2026-06-03T04:03:34.000+09:00
diff --git a/src/PlateauResoniteLink/Application/Importing/PlateauDatasetContentSourceFactory.cs b/src/PlateauResoniteLink/Application/Importing/PlateauDatasetContentSourceFactory.cs
@@ -369,7 +369,11 @@ private static async Task IndexArchiveAsync(
             {
                 cancellationToken.ThrowIfCancellationRequested();
 
-                string entryKey = archiveFileLayoutPolicy.NormalizeRelativePath(entry.Key ?? string.Empty);
+                if (!TryNormalizeArchiveEntryKey(entry, archiveFileLayoutPolicy, out string entryKey))
+                {
+                    continue;
+                }
+
                 if (IsSupportedArchiveFile(entryKey))
                 {
                     await IndexArchiveAsync(
@@ -438,10 +442,8 @@ private static async ValueTask<Stream> OpenEntryStreamAsync(
 
             IArchiveEntry entry = archive.Entries.FirstOrDefault(candidate =>
                     !candidate.IsDirectory
-                    && string.Equals(
-                        archiveFileLayoutPolicy.NormalizeRelativePath(candidate.Key ?? string.Empty),
-                        archiveFileLayoutPolicy.NormalizeRelativePath(entryKey),
-                        StringComparison.Ordinal))
+                    && TryNormalizeArchiveEntryKey(candidate, archiveFileLayoutPolicy, out string candidateKey)
+                    && string.Equals(candidateKey, archiveFileLayoutPolicy.NormalizeRelativePath(entryKey), StringComparison.Ordinal))
                 ?? throw new FileNotFoundException($"The dataset entry '{entryKey}' was not found in '{archivePath}'.");
 
             await using Stream entryStream = await entry.OpenEntryStreamAsync(cancellationToken);
@@ -458,5 +460,41 @@ private static bool IsSupportedArchiveFile(string path)
                 || string.Equals(extension, ".7z", StringComparison.OrdinalIgnoreCase);
         }
 
+        private static bool TryNormalizeArchiveEntryKey(
+            IArchiveEntry entry,
+            IArchiveFileLayoutPolicy archiveFileLayoutPolicy,
+            out string entryKey)
+        {
+            entryKey = string.Empty;
+
+            if (string.IsNullOrWhiteSpace(entry.Key))
+            {
+                return false;
+            }
+
+            string rawKey = entry.Key.Replace('\\', '/').Trim();
+            if (rawKey.StartsWith('/')
+                || Path.IsPathFullyQualified(rawKey)
+                || (rawKey.Length >= 2 && rawKey[1] == ':'))
+            {
+                return false;
+            }
+
+            string normalizedKey = archiveFileLayoutPolicy.NormalizeRelativePath(rawKey);
+            if (normalizedKey.Length == 0)
+            {
+                return false;
+            }
+
+            string[] segments = normalizedKey.Split('/', StringSplitOptions.RemoveEmptyEntries);
+            if (segments.Any(static segment => segment is "." or ".."))
+            {
+                return false;
+            }
+
+            entryKey = normalizedKey;
+            return true;
+        }
+
     }
 }
diff --git a/tests/PlateauResoniteLink.Tests/Sources/ArchivePlateauDatasetContentSourceFactoryTests.cs b/tests/PlateauResoniteLink.Tests/Sources/ArchivePlateauDatasetContentSourceFactoryTests.cs
@@ -2,6 +2,7 @@
 using System.Collections.Generic;
 using System.IO;
 using System.IO.Compression;
+using System.Linq;
 using System.Text;
 using System.Threading.Tasks;
 
@@ -99,6 +100,34 @@ public async Task EnsureLocalFileAsyncUsesDistinctCacheDirectoriesForSameNamedAr
         Assert.NotEqual(Path.GetDirectoryName(firstLocalFilePath), Path.GetDirectoryName(secondLocalFilePath));
     }
 
+    [Fact]
+    public async Task CreateAsyncIndexesOnlyArchiveEntriesWithSafeRelativePaths()
+    {
+        byte[] archiveBytes = CreateZipArchive(
+            ("udx/bldg/area/plateau_tokyo23ku_bldg_533944.gml", "<CityModel />"),
+            ("../../outside.txt", "escape"),
+            ("/absolute.txt", "absolute"),
+            ("C:/outside/windows-absolute.txt", "drive"),
+            ("udx/./texture.png", "dot"));
+
+        using TemporaryDirectory workRoot = new();
+        string archivePath = Path.Combine(workRoot.Path, "malicious.zip");
+        await File.WriteAllBytesAsync(archivePath, archiveBytes);
+
+        IPlateauDatasetContentSource datasetSource = await PlateauDatasetContentSourceFactory.CreateAsync(
+            archivePath,
+            new RemoteArchiveDistributionPolicy(),
+            new ArchiveFileLayoutPolicy());
+
+        string[] files = datasetSource.EnumerateFiles().ToArray();
+
+        Assert.Equal(["udx/bldg/area/plateau_tokyo23ku_bldg_533944.gml"], files);
+        Assert.False(datasetSource.FileExists("outside.txt"));
+        Assert.False(datasetSource.FileExists("absolute.txt"));
+        Assert.False(datasetSource.FileExists("C:/outside/windows-absolute.txt"));
+        Assert.False(datasetSource.FileExists("udx/texture.png"));
+    }
+
     [Fact]
     public async Task ResolveRelativePathUsesConfiguredArchiveFileLayoutPolicy()
     {
