diff options
Diffstat (limited to 'plugins/reception-plugins/src/main/java/org/onap/policy/distribution/reception/decoding/policy/file/PolicyDecoderFileInCsarToPolicy.java')
| -rw-r--r-- | plugins/reception-plugins/src/main/java/org/onap/policy/distribution/reception/decoding/policy/file/PolicyDecoderFileInCsarToPolicy.java | 80 |
1 files changed, 11 insertions, 69 deletions
diff --git a/plugins/reception-plugins/src/main/java/org/onap/policy/distribution/reception/decoding/policy/file/PolicyDecoderFileInCsarToPolicy.java b/plugins/reception-plugins/src/main/java/org/onap/policy/distribution/reception/decoding/policy/file/PolicyDecoderFileInCsarToPolicy.java index 72316f28..c4ba21fe 100644 --- a/plugins/reception-plugins/src/main/java/org/onap/policy/distribution/reception/decoding/policy/file/PolicyDecoderFileInCsarToPolicy.java +++ b/plugins/reception-plugins/src/main/java/org/onap/policy/distribution/reception/decoding/policy/file/PolicyDecoderFileInCsarToPolicy.java @@ -1,7 +1,7 @@ /*- * ============LICENSE_START======================================================= * Copyright (C) 2018 Ericsson. All rights reserved. - * Copyright (C) 2019 Nordix Foundation. + * Copyright (C) 2022 Nordix Foundation. * Modifications Copyright (C) 2020-2021 AT&T Intellectual Property. All rights reserved. * Modifications Copyright (C) 2021 Bell Canada. All rights reserved. * ================================================================================ @@ -24,7 +24,6 @@ package org.onap.policy.distribution.reception.decoding.policy.file; import java.io.IOException; -import java.nio.file.Path; import java.util.ArrayList; import java.util.Collection; import java.util.Enumeration; @@ -32,12 +31,11 @@ import java.util.zip.ZipEntry; import java.util.zip.ZipFile; import org.onap.policy.common.parameters.ParameterService; import org.onap.policy.common.utils.coder.CoderException; -import org.onap.policy.common.utils.coder.StandardCoder; -import org.onap.policy.common.utils.coder.StandardYamlCoder; import org.onap.policy.distribution.model.Csar; import org.onap.policy.distribution.model.PolicyInput; import org.onap.policy.distribution.reception.decoding.PolicyDecoder; import org.onap.policy.distribution.reception.decoding.PolicyDecodingException; +import org.onap.policy.distribution.reception.util.ReceptionUtil; import org.onap.policy.models.tosca.authorative.concepts.ToscaEntity; import org.onap.policy.models.tosca.authorative.concepts.ToscaServiceTemplate; @@ -49,9 +47,6 @@ import org.onap.policy.models.tosca.authorative.concepts.ToscaServiceTemplate; public class PolicyDecoderFileInCsarToPolicy implements PolicyDecoder<Csar, ToscaEntity> { private PolicyDecoderFileInCsarToPolicyParameterGroup decoderParameters; - private StandardCoder coder; - private StandardYamlCoder yamlCoder; - private static final long MAX_FILE_SIZE = 512L * 1024; /** * {@inheritDoc}. @@ -59,8 +54,6 @@ public class PolicyDecoderFileInCsarToPolicy implements PolicyDecoder<Csar, Tosc @Override public void configure(final String parameterGroupName) { decoderParameters = ParameterService.get(parameterGroupName); - coder = new StandardCoder(); - yamlCoder = new StandardYamlCoder(); } /** @@ -87,9 +80,15 @@ public class PolicyDecoderFileInCsarToPolicy implements PolicyDecoder<Csar, Tosc // isZipEntryValid ensures the file being read exists in the archive // final ZipEntry entry = entries.nextElement(); // NOSONAR - if (isZipEntryValid(entry.getName(), csar.getCsarFilePath(), entry.getSize())) { - final ToscaServiceTemplate policy = - decodeFile(zipFile, entry); + final String entryName = entry.getName(); + + // + // We only care about policy types and policies + // + if (entryName.contains(decoderParameters.getPolicyTypeFileName()) + || entryName.contains(decoderParameters.getPolicyFileName())) { + ReceptionUtil.validateZipEntry(entryName, csar.getCsarFilePath(), entry.getSize()); + final ToscaServiceTemplate policy = ReceptionUtil.decodeFile(zipFile, entry); policyList.add(policy); } } @@ -99,61 +98,4 @@ public class PolicyDecoderFileInCsarToPolicy implements PolicyDecoder<Csar, Tosc return policyList; } - - /** - * Method to filter out Policy type and Policy files. In addition, - * ensures validation of entries in the Zipfile. Attempts to solve path - * injection java security issues. - * - * @param entryName name of the ZipEntry to check - * @param csarPath Absolute path to the csar the ZipEntry is in - * @param entrySize size of the ZipEntry - * @return true if no injection detected, and it is a policy type or policy file. - * @throws PolicyDecodingException if the file size is too large - */ - private boolean isZipEntryValid(String entryName, String csarPath, long entrySize) throws PolicyDecodingException { - // - // We only care about policy types and policies - // - if (entryName.contains(decoderParameters.getPolicyTypeFileName()) - || entryName.contains(decoderParameters.getPolicyFileName())) { - // - // Check file size - // - if (entrySize > MAX_FILE_SIZE) { - throw new PolicyDecodingException("Zip entry for " + entryName + " is too large " + entrySize); - } - // - // Now ensure that there is no path injection - // - var path = Path.of(csarPath, entryName).normalize(); - // - // Throw an exception if path is outside the csar - // - if (! path.startsWith(csarPath)) { - throw new PolicyDecodingException("Potential path injection for zip entry " + entryName); - } - return true; - } - - return false; - } - - /** - * Method to decode either a json or yaml file into an object. - * - * @param zipFile the zip file - * @param entry the entry to read in the zip file. - * @return the decoded ToscaServiceTemplate object. - * @throws CoderException IOException if the file decoding fails. - */ - private ToscaServiceTemplate decodeFile(ZipFile zipFile, final ZipEntry entry) throws IOException, CoderException { - ToscaServiceTemplate policy = null; - if (entry.getName().endsWith(".json")) { - policy = coder.decode(zipFile.getInputStream(entry), ToscaServiceTemplate.class); - } else if (entry.getName().endsWith(".yaml")) { - policy = yamlCoder.decode(zipFile.getInputStream(entry), ToscaServiceTemplate.class); - } - return policy; - } } |