From ec2cdff3f96e7587c97b6fc9961fb108cf9c7e29 Mon Sep 17 00:00:00 2001 From: Dan Timoney Date: Fri, 16 Oct 2020 11:22:11 -0400 Subject: Add code to validate path names. Added code to validate path names to avoid possible attacks due to hidden/special characters and/or embedded new lines. Change-Id: I53d7266e44fbada1d9d5f458dfcdbc452801672c Issue-ID: CCSDK-2918 Signed-off-by: Dan Timoney --- .../org/onap/ccsdk/sli/core/sli/CheckSumHelper.java | 4 ++++ .../org/onap/ccsdk/sli/core/sli/PathValidator.java | 18 ++++++++++++++++++ .../org/onap/ccsdk/sli/core/sli/SvcLogicParser.java | 17 ++++++++++------- .../onap/ccsdk/sli/core/sli/SvcLogicStoreFactory.java | 3 +++ .../ccsdk/sli/core/sli/recording/FileRecorder.java | 5 +++++ 5 files changed, 40 insertions(+), 7 deletions(-) create mode 100644 sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/PathValidator.java diff --git a/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/CheckSumHelper.java b/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/CheckSumHelper.java index d6ad07424..2f1f466c7 100644 --- a/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/CheckSumHelper.java +++ b/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/CheckSumHelper.java @@ -21,6 +21,7 @@ package org.onap.ccsdk.sli.core.sli; + import java.io.IOException; import java.nio.file.Files; import java.nio.file.Paths; @@ -32,6 +33,9 @@ import javax.xml.bind.DatatypeConverter; public class CheckSumHelper { public static String md5SumFromFile(String pathToFile) throws NoSuchAlgorithmException, IOException { + if (!PathValidator.isValidXmlPath(pathToFile)) { + throw new IOException("Invalid XML file name"); + } byte[] b = Files.readAllBytes(Paths.get(pathToFile)); return md5SumFromByteArray(b); } diff --git a/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/PathValidator.java b/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/PathValidator.java new file mode 100644 index 000000000..511dbca7a --- /dev/null +++ b/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/PathValidator.java @@ -0,0 +1,18 @@ +package org.onap.ccsdk.sli.core.sli; + +import java.util.regex.Pattern; + +public class PathValidator { + public static boolean isValidXmlPath(String path) { + Pattern allowList = Pattern.compile("[-\\w/\\/]+\\.xml$"); + return (allowList.matcher(path).matches()); + } + public static boolean isValidPropertiesPath(String path) { + Pattern allowList = Pattern.compile("[-\\w/\\/]+\\.properties$"); + return (allowList.matcher(path).matches()); + } + public static boolean isValidFilePath(String path) { + Pattern allowList = Pattern.compile("[-\\w/\\/]+"); + return (allowList.matcher(path).matches()); + } +} diff --git a/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java b/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java index 5cb7ac5e2..cb78ac2ec 100644 --- a/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java +++ b/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java @@ -33,10 +33,7 @@ import javax.xml.validation.Schema; import javax.xml.validation.SchemaFactory; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import org.xml.sax.Attributes; -import org.xml.sax.Locator; -import org.xml.sax.SAXException; -import org.xml.sax.SAXParseException; +import org.xml.sax.*; import org.xml.sax.helpers.DefaultHandler; /** @@ -62,7 +59,7 @@ public class SvcLogicParser { private static final String SVCLOGIC_XSD = "/svclogic.xsd"; private SAXParser saxParser; - private class SvcLogicHandler extends DefaultHandler { + private class SvcLogicHandler extends DefaultHandler { private Locator locator = null; private String module = null; private String version = null; @@ -82,7 +79,7 @@ public class SvcLogicParser { this.curNodeId = 1; this.outcomeValue = null; } - + @Override public void setDocumentLocator(Locator locator) { this.locator = locator; @@ -450,6 +447,9 @@ public class SvcLogicParser { public static void load(String xmlfile, SvcLogicStore store) throws SvcLogicException { + if (!PathValidator.isValidXmlPath(xmlfile)) { + throw new ConfigurationException("Invalid xml file name ("+ xmlfile + ")"); + } File xmlFile = new File(xmlfile); if (!xmlFile.canRead()) { throw new ConfigurationException("Cannot read xml file (" + xmlfile + ")"); @@ -482,6 +482,9 @@ public class SvcLogicParser { } public static void validate(String xmlfile, SvcLogicStore store) throws SvcLogicException { + if (!PathValidator.isValidXmlPath(xmlfile)) { + throw new ConfigurationException("Invalid xml file name ("+ xmlfile + ")"); + } File xmlFile = new File(xmlfile); if (!xmlFile.canRead()) { throw new ConfigurationException("Cannot read xml file (" + xmlfile + ")"); @@ -601,7 +604,7 @@ public class SvcLogicParser { } SAXParser saxParser = factory.newSAXParser(); - if (saxParser.isValidating()) { + if (saxParser.isValidating()) { LOGGER.info("Parser configured to validate XML {}", (xsdUrl != null ? xsdUrl.getPath() : null)); } return saxParser; diff --git a/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicStoreFactory.java b/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicStoreFactory.java index b73925dde..f682bb529 100644 --- a/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicStoreFactory.java +++ b/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicStoreFactory.java @@ -35,6 +35,9 @@ public class SvcLogicStoreFactory { public static SvcLogicStore getSvcLogicStore(String propfile) throws SvcLogicException { + if (!PathValidator.isValidPropertiesPath(propfile)) { + throw new ConfigurationException("Invalid property file name ("+propfile+")"); + } File propFile = new File(propfile); if (!propFile.canRead()) { throw new ConfigurationException("Cannot read property file " diff --git a/sli/provider-base/src/main/java/org/onap/ccsdk/sli/core/sli/recording/FileRecorder.java b/sli/provider-base/src/main/java/org/onap/ccsdk/sli/core/sli/recording/FileRecorder.java index 37e4fe877..ab6f8bcc8 100644 --- a/sli/provider-base/src/main/java/org/onap/ccsdk/sli/core/sli/recording/FileRecorder.java +++ b/sli/provider-base/src/main/java/org/onap/ccsdk/sli/core/sli/recording/FileRecorder.java @@ -33,6 +33,7 @@ import java.util.Map; import java.util.TimeZone; import org.onap.ccsdk.sli.core.sli.ConfigurationException; +import org.onap.ccsdk.sli.core.sli.PathValidator; import org.onap.ccsdk.sli.core.sli.SvcLogicException; import org.onap.ccsdk.sli.core.sli.SvcLogicRecorder; @@ -47,6 +48,10 @@ public class FileRecorder implements SvcLogicRecorder { { throw new ConfigurationException("No file parameter specified"); } + + if (!PathValidator.isValidFilePath(fileName)) { + throw new ConfigurationException("Invalid file name ("+fileName+")"); + } String record = parmMap.get("record"); if (record == null) -- cgit 1.2.3-korg