Prevent attaching files from the signal-cli data directory

2026-05-25 14:24:36 +00:00 · 2026-05-23 13:50:06 +02:00 · 2026-05-23 13:50:06 +02:00 · 6da5c37504
commit 6da5c37504
parent 4601e60118
2 changed files with 21 additions and 0 deletions
--- a/lib/src/main/java/org/asamk/signal/manager/helper/AttachmentHelper.java
+++ b/lib/src/main/java/org/asamk/signal/manager/helper/AttachmentHelper.java
@ -34,8 +34,10 @@ public class AttachmentHelper {

    private final SignalDependencies dependencies;
    private final AttachmentStore attachmentStore;
+    private final Context context;

    public AttachmentHelper(final Context context) {
+        this.context = context;
        this.dependencies = context.getDependencies();
        this.attachmentStore = context.getAttachmentStore();
    }
@ -92,6 +94,21 @@ public class AttachmentHelper {
            final boolean voiceNote
    ) throws AttachmentInvalidException {
        try {
+            // Reject local files that point into the signal-cli data directory
+            if (attachment != null && !attachment.startsWith("data:")) {
+                try {
+                    final var file = new File(attachment);
+                    final var canonical = file.getCanonicalFile();
+                    final var dataPath = context.getAccount().getDataPath().getCanonicalFile();
+                    if (canonical.toPath().startsWith(dataPath.toPath())) {
+                        throw new AttachmentInvalidException(attachment,
+                                new IOException("Attaching files from the signal-cli data directory is not allowed"));
+                    }
+                } catch (IOException e) {
+                    throw new AttachmentInvalidException(attachment, e);
+                }
+            }
+
            final var streamDetailsAndFileName = Utils.createStreamDetails(attachment);
            final var streamDetails = streamDetailsAndFileName.first();
            final var uploadSpec = getResumableUploadSpec(streamDetails);
--- a/lib/src/main/java/org/asamk/signal/manager/storage/SignalAccount.java
+++ b/lib/src/main/java/org/asamk/signal/manager/storage/SignalAccount.java
@ -192,6 +192,10 @@ public class SignalAccount implements Closeable {
        this.lock = lock;
    }

+    public File getDataPath() {
+        return dataPath;
+    }
+
    public static SignalAccount load(
            File dataPath,
            String accountPath,