summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDan Timoney <dtimoney@att.com>2020-10-16 11:22:11 -0400
committerDan Timoney <dtimoney@att.com>2020-10-16 15:17:17 -0400
commitec2cdff3f96e7587c97b6fc9961fb108cf9c7e29 (patch)
tree49bcb281a63e499347c70a2fbe1b7a3feab408b2
parent368939e5f285dafeec594d58ba74c5bba0cc20d1 (diff)
Add code to validate path names.
Added code to validate path names to avoid possible attacks due to hidden/special characters and/or embedded new lines. Change-Id: I53d7266e44fbada1d9d5f458dfcdbc452801672c Issue-ID: CCSDK-2918 Signed-off-by: Dan Timoney <dtimoney@att.com>
-rw-r--r--sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/CheckSumHelper.java4
-rw-r--r--sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/PathValidator.java18
-rw-r--r--sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java17
-rw-r--r--sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicStoreFactory.java3
-rw-r--r--sli/provider-base/src/main/java/org/onap/ccsdk/sli/core/sli/recording/FileRecorder.java5
5 files changed, 40 insertions, 7 deletions
diff --git a/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/CheckSumHelper.java b/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/CheckSumHelper.java
index d6ad07424..2f1f466c7 100644
--- a/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/CheckSumHelper.java
+++ b/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/CheckSumHelper.java
@@ -21,6 +21,7 @@
package org.onap.ccsdk.sli.core.sli;
+
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Paths;
@@ -32,6 +33,9 @@ import javax.xml.bind.DatatypeConverter;
public class CheckSumHelper {
public static String md5SumFromFile(String pathToFile) throws NoSuchAlgorithmException, IOException {
+ if (!PathValidator.isValidXmlPath(pathToFile)) {
+ throw new IOException("Invalid XML file name");
+ }
byte[] b = Files.readAllBytes(Paths.get(pathToFile));
return md5SumFromByteArray(b);
}
diff --git a/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/PathValidator.java b/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/PathValidator.java
new file mode 100644
index 000000000..511dbca7a
--- /dev/null
+++ b/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/PathValidator.java
@@ -0,0 +1,18 @@
+package org.onap.ccsdk.sli.core.sli;
+
+import java.util.regex.Pattern;
+
+public class PathValidator {
+ public static boolean isValidXmlPath(String path) {
+ Pattern allowList = Pattern.compile("[-\\w/\\/]+\\.xml$");
+ return (allowList.matcher(path).matches());
+ }
+ public static boolean isValidPropertiesPath(String path) {
+ Pattern allowList = Pattern.compile("[-\\w/\\/]+\\.properties$");
+ return (allowList.matcher(path).matches());
+ }
+ public static boolean isValidFilePath(String path) {
+ Pattern allowList = Pattern.compile("[-\\w/\\/]+");
+ return (allowList.matcher(path).matches());
+ }
+}
diff --git a/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java b/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java
index 5cb7ac5e2..cb78ac2ec 100644
--- a/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java
+++ b/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java
@@ -33,10 +33,7 @@ import javax.xml.validation.Schema;
import javax.xml.validation.SchemaFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import org.xml.sax.Attributes;
-import org.xml.sax.Locator;
-import org.xml.sax.SAXException;
-import org.xml.sax.SAXParseException;
+import org.xml.sax.*;
import org.xml.sax.helpers.DefaultHandler;
/**
@@ -62,7 +59,7 @@ public class SvcLogicParser {
private static final String SVCLOGIC_XSD = "/svclogic.xsd";
private SAXParser saxParser;
- private class SvcLogicHandler extends DefaultHandler {
+ private class SvcLogicHandler extends DefaultHandler {
private Locator locator = null;
private String module = null;
private String version = null;
@@ -82,7 +79,7 @@ public class SvcLogicParser {
this.curNodeId = 1;
this.outcomeValue = null;
}
-
+
@Override
public void setDocumentLocator(Locator locator) {
this.locator = locator;
@@ -450,6 +447,9 @@ public class SvcLogicParser {
public static void load(String xmlfile, SvcLogicStore store) throws SvcLogicException {
+ if (!PathValidator.isValidXmlPath(xmlfile)) {
+ throw new ConfigurationException("Invalid xml file name ("+ xmlfile + ")");
+ }
File xmlFile = new File(xmlfile);
if (!xmlFile.canRead()) {
throw new ConfigurationException("Cannot read xml file (" + xmlfile + ")");
@@ -482,6 +482,9 @@ public class SvcLogicParser {
}
public static void validate(String xmlfile, SvcLogicStore store) throws SvcLogicException {
+ if (!PathValidator.isValidXmlPath(xmlfile)) {
+ throw new ConfigurationException("Invalid xml file name ("+ xmlfile + ")");
+ }
File xmlFile = new File(xmlfile);
if (!xmlFile.canRead()) {
throw new ConfigurationException("Cannot read xml file (" + xmlfile + ")");
@@ -601,7 +604,7 @@ public class SvcLogicParser {
}
SAXParser saxParser = factory.newSAXParser();
- if (saxParser.isValidating()) {
+ if (saxParser.isValidating()) {
LOGGER.info("Parser configured to validate XML {}", (xsdUrl != null ? xsdUrl.getPath() : null));
}
return saxParser;
diff --git a/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicStoreFactory.java b/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicStoreFactory.java
index b73925dde..f682bb529 100644
--- a/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicStoreFactory.java
+++ b/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicStoreFactory.java
@@ -35,6 +35,9 @@ public class SvcLogicStoreFactory {
public static SvcLogicStore getSvcLogicStore(String propfile)
throws SvcLogicException {
+ if (!PathValidator.isValidPropertiesPath(propfile)) {
+ throw new ConfigurationException("Invalid property file name ("+propfile+")");
+ }
File propFile = new File(propfile);
if (!propFile.canRead()) {
throw new ConfigurationException("Cannot read property file "
diff --git a/sli/provider-base/src/main/java/org/onap/ccsdk/sli/core/sli/recording/FileRecorder.java b/sli/provider-base/src/main/java/org/onap/ccsdk/sli/core/sli/recording/FileRecorder.java
index 37e4fe877..ab6f8bcc8 100644
--- a/sli/provider-base/src/main/java/org/onap/ccsdk/sli/core/sli/recording/FileRecorder.java
+++ b/sli/provider-base/src/main/java/org/onap/ccsdk/sli/core/sli/recording/FileRecorder.java
@@ -33,6 +33,7 @@ import java.util.Map;
import java.util.TimeZone;
import org.onap.ccsdk.sli.core.sli.ConfigurationException;
+import org.onap.ccsdk.sli.core.sli.PathValidator;
import org.onap.ccsdk.sli.core.sli.SvcLogicException;
import org.onap.ccsdk.sli.core.sli.SvcLogicRecorder;
@@ -47,6 +48,10 @@ public class FileRecorder implements SvcLogicRecorder {
{
throw new ConfigurationException("No file parameter specified");
}
+
+ if (!PathValidator.isValidFilePath(fileName)) {
+ throw new ConfigurationException("Invalid file name ("+fileName+")");
+ }
String record = parmMap.get("record");
if (record == null)