Use lastModified timestamp to check if a in-use file was stolen/moved

infeo · infeo · commit fb7ccb9d5153 · 2025-10-29T11:24:00.000+01:00
diff --git a/src/main/java/org/cryptomator/cryptofs/inuse/RealUseToken.java b/src/main/java/org/cryptomator/cryptofs/inuse/RealUseToken.java
@@ -55,6 +55,7 @@ public static RealUseToken createWithExistingFile(Path p, String owner, Cryptor
 	private volatile Path filePath;
 	private volatile FileChannel channel;
 	private volatile boolean closed;
+	private volatile long lastModified;
 
 	RealUseToken(Path filePath, String owner, Cryptor cryptor, ConcurrentMap<Path, RealUseToken> useTokens, Executor tokenPersistor, OpenOption openMode) {
 		var delayedExecutor = CompletableFuture.delayedExecutor(Constants.INUSE_DELAY_MILLIS, TimeUnit.MILLISECONDS, tokenPersistor);
@@ -96,9 +97,18 @@ void refresh() {
 			if (closed || channel == null) {
 				return;
 			}
+			var currentLastModfied = Files.getLastModifiedTime(filePath).toMillis();
+			if (currentLastModfied != lastModified) {
+				throw new ModifiedFileException(); //someone edited _our_ file.
+			}
 			writeInUseFile();
+		} catch (ModifiedFileException e) {
+			//TODO: event? we have no access to the cleartext!
+			LOG.debug("Failed to refresh in-use file {}.", filePath, e);
+			close(false);
 		} catch (IOException e) {
 			LOG.debug("Failed to refresh in-use file {}.", filePath, e);
+			close();
 		} finally {
 			fileCreationSync.unlock();
 		}
@@ -116,7 +126,8 @@ int writeInUseFile() throws IOException {
 			prop.store(rawInfo, null);
 			bytesWritten = encChannel.write(ByteBuffer.wrap(rawInfo.toByteArray()));
 		}
-		channel.force(false);
+		channel.force(true);
+		lastModified = Files.getLastModifiedTime(filePath).toMillis();
 		return bytesWritten;
 	}
 
@@ -136,6 +147,7 @@ void moveToInternal(Path newFilePath) {
 			useTokens.compute(newFilePath, (_, _) -> {
 				try {
 					if (channel != null) {
+						//TODO: does this affect the lastModified file?
 						Files.move(filePath, newFilePath, StandardCopyOption.REPLACE_EXISTING);
 					}
 					return this;
@@ -160,6 +172,10 @@ public boolean isClosed() {
 
 	@Override
 	public void close() {
+		close(true);
+	}
+
+	void close(boolean deleteFile) {
 		fileCreationSync.lock();
 		try {
 			if (closed) {
@@ -171,7 +187,9 @@ public void close() {
 				if (channel != null) {
 					try {
 						channel.close();
-						Files.deleteIfExists(filePath);
+						if(deleteFile) {
+							Files.deleteIfExists(filePath);
+						}
 					} catch (IOException e) {
 						//ignore
 						LOG.warn("Failed to delete inUse File {}. Must be deleted manually.", path);
@@ -184,6 +202,8 @@ public void close() {
 		}
 	}
 
+	//--- glue code ---
+
 	interface EncryptionDecorator {
 
 		WritableByteChannel wrapWithEncryption(ByteChannel ch, Cryptor c);
@@ -211,4 +231,8 @@ public int read(ByteBuffer dst) throws IOException {
 			return delegate.read(dst);
 		}
 	}
+
+	static class ModifiedFileException extends RuntimeException {
+
+	}
 }
diff --git a/src/test/java/org/cryptomator/cryptofs/inuse/RealUseTokenTest.java b/src/test/java/org/cryptomator/cryptofs/inuse/RealUseTokenTest.java
@@ -8,16 +8,21 @@
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.RepeatedTest;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.io.TempDir;
+import org.junit.jupiter.api.parallel.Execution;
+import org.junit.jupiter.api.parallel.ExecutionMode;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
+import java.nio.channels.FileChannel;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.StandardOpenOption;
 import java.nio.file.StandardWatchEventKinds;
 import java.nio.file.WatchService;
+import java.nio.file.attribute.FileTime;
 import java.time.Duration;
 import java.time.Instant;
 import java.util.Properties;
@@ -80,6 +85,7 @@ public void testFileCreation() {
 		Assertions.assertTrue(Files.notExists(filePath));
 	}
 
+	//TODO: test is flaky. Why?
 	@Test
 	@DisplayName("The properties file contains required keys with valid content")
 	public void testFileContent() throws IOException {
@@ -244,6 +250,26 @@ public void testFileRefresh() throws IOException {
 		}
 	}
 
+	@RepeatedTest(value = 5, failureThreshold = 1)
+	@Execution(ExecutionMode.SAME_THREAD)
+	@DisplayName("Refreshing a token with not-matching last-modified date closes token, but does not delete file ")
+	public void testFileRefreshWrongLastModified() throws IOException {
+		var filePath = tmpDir.resolve("inUse.file");
+
+		try (var token = new RealUseToken(filePath, "test3000", cryptor, useTokens, tokenPersistor, StandardOpenOption.CREATE_NEW, encWrapper)) {
+			Awaitility.await().atLeast(FILE_OPERATION_DELAY).atMost(FILE_OPERATION_MAX).until(() -> Files.exists(filePath));
+			Awaitility.await().pollDelay(Duration.ofMillis(10)).until(() -> true);
+
+			Files.setLastModifiedTime(filePath, FileTime.from(Instant.ofEpochMilli(0)));
+
+			token.refresh();
+
+			Assertions.assertTrue(token.isClosed());
+			Assertions.assertTrue(Files.exists(filePath));
+		}
+		Assertions.assertTrue(Files.exists(filePath));
+	}
+
 	@Test
 	@DisplayName("Before token persisting, refreshing a token does nothing")
 	public void testFileRefreshSkip() throws IOException {
