aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPamela Dragosh <pdragosh@research.att.com>2021-01-14 15:24:37 -0500
committerPamela Dragosh <pdragosh@research.att.com>2021-01-14 15:56:22 -0500
commite72afd705e3e575161db480adc8fbc4ff71ba2b9 (patch)
tree5dd12188749b6d3390a4b468bd40dff3292d7cd0
parentbd1744d82d6e8d817d81f5ef607a8169c7c7591f (diff)
Avoid path injection
Adding a check to ensure that a zip file cannot be corrupted with a path injection to open a stream somewhere else in the file system. Issue-ID: POLICY-2908 Change-Id: Iaa75fc8c14831ad73fa7ab59c618909ff5af454c Signed-off-by: Pamela Dragosh <pdragosh@research.att.com>
-rw-r--r--plugins/reception-plugins/src/main/java/org/onap/policy/distribution/reception/decoding/policy/file/PolicyDecoderFileInCsarToPolicy.java32
1 files changed, 29 insertions, 3 deletions
diff --git a/plugins/reception-plugins/src/main/java/org/onap/policy/distribution/reception/decoding/policy/file/PolicyDecoderFileInCsarToPolicy.java b/plugins/reception-plugins/src/main/java/org/onap/policy/distribution/reception/decoding/policy/file/PolicyDecoderFileInCsarToPolicy.java
index 7dc16893..282578d0 100644
--- a/plugins/reception-plugins/src/main/java/org/onap/policy/distribution/reception/decoding/policy/file/PolicyDecoderFileInCsarToPolicy.java
+++ b/plugins/reception-plugins/src/main/java/org/onap/policy/distribution/reception/decoding/policy/file/PolicyDecoderFileInCsarToPolicy.java
@@ -2,7 +2,7 @@
* ============LICENSE_START=======================================================
* Copyright (C) 2018 Ericsson. All rights reserved.
* Copyright (C) 2019 Nordix Foundation.
- * Modifications Copyright (C) 2020 AT&T Inc.
+ * Modifications Copyright (C) 2020-2021 AT&T Inc.
* ================================================================================
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -23,6 +23,8 @@
package org.onap.policy.distribution.reception.decoding.policy.file;
import java.io.IOException;
+import java.nio.file.Path;
+import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Enumeration;
@@ -76,8 +78,7 @@ public class PolicyDecoderFileInCsarToPolicy implements PolicyDecoder<Csar, Tosc
final Enumeration<? extends ZipEntry> entries = zipFile.entries();
while (entries.hasMoreElements()) {
final ZipEntry entry = entries.nextElement();
- if (entry.getName().contains(decoderParameters.getPolicyTypeFileName())
- || entry.getName().contains(decoderParameters.getPolicyFileName())) {
+ if (isZipEntryValid(entry, csar.getCsarPath())) {
final ToscaServiceTemplate policy =
coder.decode(zipFile.getInputStream(entry), ToscaServiceTemplate.class);
policyList.add(policy);
@@ -89,4 +90,29 @@ public class PolicyDecoderFileInCsarToPolicy implements PolicyDecoder<Csar, Tosc
return policyList;
}
+
+ /**
+ * Method to filter out Policy type and Policy files. In addition,
+ * ensures validation of entries in the Zipfile. Attempts to solve path
+ * injection java security issues.
+ *
+ * @param entry the ZipEntry to check
+ * @param csarPath Absolute path to the csar the ZipEntry is in
+ * @return true if no injection detected, and it is a policy type or policy file.
+ */
+ private boolean isZipEntryValid(ZipEntry entry, String csarPath) {
+ //
+ // We only care about policy types and policies
+ //
+ if (entry.getName().contains(decoderParameters.getPolicyTypeFileName())
+ || entry.getName().contains(decoderParameters.getPolicyFileName())) {
+ //
+ // Now ensure that there is no path injection
+ //
+ Path path = Path.of(csarPath, entry.getName()).normalize();
+ return path.startsWith(csarPath);
+ }
+
+ return false;
+ }
}