From e72afd705e3e575161db480adc8fbc4ff71ba2b9 Mon Sep 17 00:00:00 2001
From: Pamela Dragosh <pdragosh@research.att.com>
Date: Thu, 14 Jan 2021 15:24:37 -0500
Subject: Avoid path injection

Adding a check to ensure that a zip file cannot be corrupted
with a path injection to open a stream somewhere else in the
file system.

Issue-ID: POLICY-2908
Change-Id: Iaa75fc8c14831ad73fa7ab59c618909ff5af454c
Signed-off-by: Pamela Dragosh <pdragosh@research.att.com>
---
 .../file/PolicyDecoderFileInCsarToPolicy.java      | 32 ++++++++++++++++++++--
 1 file changed, 29 insertions(+), 3 deletions(-)

(limited to 'plugins/reception-plugins/src/main')

diff --git a/plugins/reception-plugins/src/main/java/org/onap/policy/distribution/reception/decoding/policy/file/PolicyDecoderFileInCsarToPolicy.java b/plugins/reception-plugins/src/main/java/org/onap/policy/distribution/reception/decoding/policy/file/PolicyDecoderFileInCsarToPolicy.java
index 7dc16893..282578d0 100644
--- a/plugins/reception-plugins/src/main/java/org/onap/policy/distribution/reception/decoding/policy/file/PolicyDecoderFileInCsarToPolicy.java
+++ b/plugins/reception-plugins/src/main/java/org/onap/policy/distribution/reception/decoding/policy/file/PolicyDecoderFileInCsarToPolicy.java
@@ -2,7 +2,7 @@
  * ============LICENSE_START=======================================================
  *  Copyright (C) 2018 Ericsson. All rights reserved.
  *  Copyright (C) 2019 Nordix Foundation.
- *  Modifications Copyright (C) 2020 AT&T Inc.
+ *  Modifications Copyright (C) 2020-2021 AT&T Inc.
  * ================================================================================
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,6 +23,8 @@
 package org.onap.policy.distribution.reception.decoding.policy.file;
 
 import java.io.IOException;
+import java.nio.file.Path;
+import java.nio.file.Paths;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Enumeration;
@@ -76,8 +78,7 @@ public class PolicyDecoderFileInCsarToPolicy implements PolicyDecoder<Csar, Tosc
             final Enumeration<? extends ZipEntry> entries = zipFile.entries();
             while (entries.hasMoreElements()) {
                 final ZipEntry entry = entries.nextElement();
-                if (entry.getName().contains(decoderParameters.getPolicyTypeFileName())
-                        || entry.getName().contains(decoderParameters.getPolicyFileName())) {
+                if (isZipEntryValid(entry, csar.getCsarPath())) {
                     final ToscaServiceTemplate policy =
                             coder.decode(zipFile.getInputStream(entry), ToscaServiceTemplate.class);
                     policyList.add(policy);
@@ -89,4 +90,29 @@ public class PolicyDecoderFileInCsarToPolicy implements PolicyDecoder<Csar, Tosc
 
         return policyList;
     }
+
+    /**
+     * Method to filter out Policy type and Policy files. In addition,
+     * ensures validation of entries in the Zipfile. Attempts to solve path
+     * injection java security issues.
+     *
+     * @param entry the ZipEntry to check
+     * @param csarPath Absolute path to the csar the ZipEntry is in
+     * @return true if no injection detected, and it is a policy type  or policy file.
+     */
+    private boolean isZipEntryValid(ZipEntry entry, String csarPath) {
+        //
+        // We only care about policy types and policies
+        //
+        if (entry.getName().contains(decoderParameters.getPolicyTypeFileName())
+                || entry.getName().contains(decoderParameters.getPolicyFileName())) {
+            //
+            // Now ensure that there is no path injection
+            //
+            Path path = Path.of(csarPath, entry.getName()).normalize();
+            return path.startsWith(csarPath);
+        }
+
+        return false;
+    }
 }
-- 
cgit 1.2.3-korg