From e72afd705e3e575161db480adc8fbc4ff71ba2b9 Mon Sep 17 00:00:00 2001 From: Pamela Dragosh Date: Thu, 14 Jan 2021 15:24:37 -0500 Subject: Avoid path injection Adding a check to ensure that a zip file cannot be corrupted with a path injection to open a stream somewhere else in the file system. Issue-ID: POLICY-2908 Change-Id: Iaa75fc8c14831ad73fa7ab59c618909ff5af454c Signed-off-by: Pamela Dragosh --- .../file/PolicyDecoderFileInCsarToPolicy.java | 32 ++++++++++++++++++++-- 1 file changed, 29 insertions(+), 3 deletions(-) (limited to 'plugins/reception-plugins/src/main') diff --git a/plugins/reception-plugins/src/main/java/org/onap/policy/distribution/reception/decoding/policy/file/PolicyDecoderFileInCsarToPolicy.java b/plugins/reception-plugins/src/main/java/org/onap/policy/distribution/reception/decoding/policy/file/PolicyDecoderFileInCsarToPolicy.java index 7dc16893..282578d0 100644 --- a/plugins/reception-plugins/src/main/java/org/onap/policy/distribution/reception/decoding/policy/file/PolicyDecoderFileInCsarToPolicy.java +++ b/plugins/reception-plugins/src/main/java/org/onap/policy/distribution/reception/decoding/policy/file/PolicyDecoderFileInCsarToPolicy.java @@ -2,7 +2,7 @@ * ============LICENSE_START======================================================= * Copyright (C) 2018 Ericsson. All rights reserved. * Copyright (C) 2019 Nordix Foundation. - * Modifications Copyright (C) 2020 AT&T Inc. + * Modifications Copyright (C) 2020-2021 AT&T Inc. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -23,6 +23,8 @@ package org.onap.policy.distribution.reception.decoding.policy.file; import java.io.IOException; +import java.nio.file.Path; +import java.nio.file.Paths; import java.util.ArrayList; import java.util.Collection; import java.util.Enumeration; @@ -76,8 +78,7 @@ public class PolicyDecoderFileInCsarToPolicy implements PolicyDecoder entries = zipFile.entries(); while (entries.hasMoreElements()) { final ZipEntry entry = entries.nextElement(); - if (entry.getName().contains(decoderParameters.getPolicyTypeFileName()) - || entry.getName().contains(decoderParameters.getPolicyFileName())) { + if (isZipEntryValid(entry, csar.getCsarPath())) { final ToscaServiceTemplate policy = coder.decode(zipFile.getInputStream(entry), ToscaServiceTemplate.class); policyList.add(policy); @@ -89,4 +90,29 @@ public class PolicyDecoderFileInCsarToPolicy implements PolicyDecoder