GP-6695: in-directory check

Ghidra/Features/Sarif/src/main/java/sarif/managers/MemoryMapSarifMgr.java

@@ -15,29 +15,15 @@
  */
 package sarif.managers;
 
-import java.io.ByteArrayInputStream;
+import java.io.*;
-import java.io.File;
+import java.util.*;
-import java.io.FileNotFoundException;
-import java.io.IOException;
-import java.io.RandomAccessFile;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.List;
-import java.util.Map;
 
 import com.google.gson.JsonArray;
 
 import generic.stl.Pair;
 import ghidra.app.util.MemoryBlockUtils;
 import ghidra.app.util.importer.MessageLog;
-import ghidra.program.model.address.Address;
+import ghidra.program.model.address.*;
-import ghidra.program.model.address.AddressFactory;
-import ghidra.program.model.address.AddressOverflowException;
-import ghidra.program.model.address.AddressRange;
-import ghidra.program.model.address.AddressRangeImpl;
-import ghidra.program.model.address.AddressRangeIterator;
-import ghidra.program.model.address.AddressSet;
-import ghidra.program.model.address.AddressSetView;
 import ghidra.program.model.listing.Program;
 import ghidra.program.model.mem.Memory;
 import ghidra.program.model.mem.MemoryBlock;
@@ -48,6 +34,7 @@ import sarif.SarifProgramOptions;
 import sarif.SarifUtils;
 import sarif.export.SarifWriterTask;
 import sarif.export.mm.SarifMemoryMapWriter;
+import utilities.util.FileUtilities;
 
 public class MemoryMapSarifMgr extends SarifMgr {
 
@@ -155,7 +142,11 @@ public class MemoryMapSarifMgr extends SarifMgr {
 			MessageLog log) throws IOException {
 		byte[] bytes = new byte[length];
 		Arrays.fill(bytes, (byte) 0xff);
+		File dir = new File(directory);
 		File f = new File(directory, fileName);
+		if (!FileUtilities.isPathContainedWithin(dir, f)) {
+			throw new RuntimeException(fileName + " not found within " + directory);
+		}
 		try (RandomAccessFile binfile = new RandomAccessFile(f, "r")) {
 			int pos = 0;
 			while (pos < length) {