Merge branch 'master' of https://github.com/genepi/cloudgene into rel…

…ease-2.5.4

.github/workflows/create-release.yml

@@ -7,7 +7,7 @@ on:
 jobs:
   build:
 
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
 
     steps:
     - uses: actions/checkout@v2

.github/workflows/maven-test.yml

@@ -8,7 +8,7 @@ on: [push, pull_request]
 jobs:
   build:
 
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
 
     steps:
     - uses: actions/checkout@v2

pom.xml

@@ -4,7 +4,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>cloudgene</groupId>
 	<artifactId>cloudgene</artifactId>
-	<version>2.5.2</version>
+	<version>2.5.4</version>
 
 	<name>Cloudgene</name>
 	<url>http://www.cloudgene.io</url>
@@ -56,7 +56,7 @@
 		<repository>
 			<id>maven-restlet</id>
 			<name>Restlet Framework repository</name>
-			<url>https://maven.restlet.org</url>
+			<url>https://maven.restlet.talend.com</url>
 		</repository>
 
 		<repository>
@@ -130,7 +130,7 @@
 		<dependency>
 			<groupId>mysql</groupId>
 			<artifactId>mysql-connector-java</artifactId>
-			<version>8.0.28</version>
+			<version>8.0.32</version>
 		</dependency>
 
 		<dependency>
@@ -197,35 +197,35 @@
 		<dependency>
 			<groupId>org.apache.ivy</groupId>
 			<artifactId>ivy</artifactId>
-			<version>2.5.0</version>
+			<version>2.5.1</version>
 		</dependency>
 
 		<!-- Logging -->
 
 		<dependency>
 			<groupId>org.apache.logging.log4j</groupId>
 			<artifactId>log4j-api</artifactId>
-			<version>2.17.1</version>
+			<version>2.19.0</version>
 		</dependency>
 
 		<dependency>
 			<groupId>org.apache.logging.log4j</groupId>
 			<artifactId>log4j-core</artifactId>
-			<version>2.17.1</version>
+			<version>2.19.0</version>
 		</dependency>
 
 		<!-- use slf4j with log4j2 -->
 		<dependency>
 			<groupId>org.apache.logging.log4j</groupId>
 			<artifactId>log4j-slf4j-impl</artifactId>
-			<version>2.17.1</version>
+			<version>2.19.0</version>
 		</dependency>
 
 		<!-- use apache commons with log4j2 -->
 		<dependency>
 			<groupId>org.apache.logging.log4j</groupId>
 			<artifactId>log4j-jcl</artifactId>
-			<version>2.17.1</version>
+			<version>2.19.0</version>
 		</dependency>
 
 		<!-- End Logging -->
@@ -295,7 +295,7 @@
 		<dependency>
 			<groupId>net.lingala.zip4j</groupId>
 			<artifactId>zip4j</artifactId>
-			<version>2.9.1</version>
+			<version>2.11.3</version>
 		</dependency>
 
 		<dependency>
@@ -323,7 +323,7 @@
 		<dependency>
 			<groupId>org.springframework.security</groupId>
 			<artifactId>spring-security-crypto</artifactId>
-			<version>5.6.1</version>
+			<version>5.8.1</version>
 		</dependency>
 
 		<!-- Test Dependencies -->

src/main/html/webapp/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cloudgene",
-  "version": "2.5.1",
+  "version": "2.5.4",
   "description": "Cloudgene web client",
   "homepage": "http://www.cloudgene.io",
   "author": "Lukas Forer <[email protected] (http://www.forer.it)",

src/main/java/cloudgene/mapred/Main.java

@@ -36,7 +36,7 @@
 
 public class Main {
 
-	public static final String VERSION = "2.5.2";
+	public static final String VERSION = "2.5.4";
 
 	private Database database;
 

src/main/java/cloudgene/mapred/WebApp.java

@@ -1,14 +1,21 @@
 package cloudgene.mapred;
 
 import java.io.File;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.nio.file.Path;
+import java.nio.file.Paths;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
 import org.restlet.Application;
 import org.restlet.Restlet;
 import org.restlet.data.LocalReference;
+import org.restlet.data.Status;
+import org.restlet.engine.local.DirectoryServerResource;
 import org.restlet.resource.Directory;
+import org.restlet.resource.ResourceException;
 import org.restlet.routing.Redirector;
 import org.restlet.routing.Router;
 import org.restlet.routing.Template;
@@ -229,12 +236,14 @@ public synchronized Restlet createInboundRoot() {
 		setStatusService(new CustomStatusService());
 
 		Directory dir = new Directory(getContext(), webRoot2);
+		dir.setTargetClass(FixedDirectoryServerResource.class);
 		dir.setListingAllowed(false);
 
 		route = router.attach(prefix + "/static", dir);
 		route.setMatchingMode(Template.MODE_STARTS_WITH);
 
 		dir = new Directory(getContext(), webRoot);
+		dir.setTargetClass(FixedDirectoryServerResource.class);
 		dir.setListingAllowed(false);
 
 		route = router.attach(prefix + "/", dir);
@@ -304,5 +313,25 @@ public String getTemplate(String key, Object... strings) {
 		}
 
 	}
+
+	public static class FixedDirectoryServerResource extends DirectoryServerResource {
+
+		@Override
+		public void preventUpperDirectoryAccess() {
+
+			try {
+				URI targetUri = new URI(getTargetUri());
+				Path targetPath = Paths.get(targetUri).normalize();
+				URI baseUri = new URI(getDirectory().getRootRef().toString());
+				Path basePath = Paths.get(baseUri).normalize();
+				if (!targetPath.startsWith(basePath)) {
+					throw new ResourceException(Status.CLIENT_ERROR_FORBIDDEN);
+				}
+			} catch (URISyntaxException e) {
+				throw new ResourceException(e);
+			}
+		}
+
+	}
 
 }

src/main/java/cloudgene/mapred/representations/CustomStatusService.java

@@ -16,7 +16,7 @@ public Representation getRepresentation(Status status, Request request,
 		if (status.isClientError()) {
 
 			//setStatus(Status.CLIENT_ERROR_NOT_FOUND );
-			return new StringRepresentation("Oje!!");
+			return new StringRepresentation("Error");
 		} else {
 
 			// TODO Auto-generated method stub