aboutsummaryrefslogtreecommitdiffstats
path: root/catalog-model
diff options
context:
space:
mode:
authorandre.schmid <andre.schmid@est.tech>2019-09-27 13:27:11 +0100
committerOfir Sonsino <ofir.sonsino@intl.att.com>2019-10-30 09:47:54 +0000
commitbf5eeb23a769a2e2b75f432b74f10fdbcfd2f161 (patch)
treefa27998ee6efef6f7651315cbf71271130fca025 /catalog-model
parent19773b769c6762a12876064c70a34cc31d2b12da (diff)
Fix zip slip security flaw
Apply zip slip checking in zip operations throughout the system. Centralizes most of the zip logic in one class. Create tests to zip functionalities and zip slip problem. Change-Id: I721f3d44b34fe6d242c9537f5a515ce1bb534c9a Issue-ID: SDC-1401 Signed-off-by: andre.schmid <andre.schmid@est.tech>
Diffstat (limited to 'catalog-model')
-rw-r--r--catalog-model/src/main/java/org/openecomp/sdc/be/model/operations/impl/CsarOperation.java29
-rw-r--r--catalog-model/src/main/java/org/openecomp/sdc/be/model/operations/impl/OnboardingClient.java41
2 files changed, 6 insertions, 64 deletions
diff --git a/catalog-model/src/main/java/org/openecomp/sdc/be/model/operations/impl/CsarOperation.java b/catalog-model/src/main/java/org/openecomp/sdc/be/model/operations/impl/CsarOperation.java
index 9ae2f252c9..af8a68f410 100644
--- a/catalog-model/src/main/java/org/openecomp/sdc/be/model/operations/impl/CsarOperation.java
+++ b/catalog-model/src/main/java/org/openecomp/sdc/be/model/operations/impl/CsarOperation.java
@@ -25,17 +25,11 @@ import com.google.gson.JsonArray;
import com.google.gson.JsonElement;
import com.google.gson.JsonParser;
import fj.data.Either;
-import org.apache.commons.io.filefilter.WildcardFileFilter;
import org.openecomp.sdc.be.model.User;
import org.openecomp.sdc.be.model.operations.api.StorageOperationStatus;
import org.openecomp.sdc.common.log.wrappers.Logger;
-import org.openecomp.sdc.common.util.ZipUtil;
import javax.annotation.PostConstruct;
-import java.io.File;
-import java.io.FileFilter;
-import java.io.IOException;
-import java.nio.file.Files;
import java.util.Map;
@org.springframework.stereotype.Component("csar-operation")
@@ -62,29 +56,6 @@ public class CsarOperation {
}
- public Either<Map<String, byte[]>, StorageOperationStatus> getMockCsar(String csarUuid) {
- File dir = new File("/var/tmp/mockCsar");
- FileFilter fileFilter = new WildcardFileFilter("*.csar");
- File[] files = dir.listFiles(fileFilter);
- for (int i = 0; i < files.length; i++) {
- File csar = files[i];
- if (csar.getName().startsWith(csarUuid)) {
- log.debug("Found CSAR file {} matching the passed csarUuid {}", csar.getAbsolutePath(), csarUuid);
- byte[] data;
- try {
- data = Files.readAllBytes(csar.toPath());
- } catch (IOException e) {
- log.debug("Error reading mock file for CSAR, error: {}", e);
- return Either.right(StorageOperationStatus.NOT_FOUND);
- }
- Map<String, byte[]> readZip = ZipUtil.readZip(data);
- return Either.left(readZip);
- }
- }
- log.debug("Couldn't find mock file for CSAR starting with {}", csarUuid);
- return Either.right(StorageOperationStatus.CSAR_NOT_FOUND);
- }
-
/**
* get csar from remote repository
*
diff --git a/catalog-model/src/main/java/org/openecomp/sdc/be/model/operations/impl/OnboardingClient.java b/catalog-model/src/main/java/org/openecomp/sdc/be/model/operations/impl/OnboardingClient.java
index 8e1ee19358..ed0b43e38e 100644
--- a/catalog-model/src/main/java/org/openecomp/sdc/be/model/operations/impl/OnboardingClient.java
+++ b/catalog-model/src/main/java/org/openecomp/sdc/be/model/operations/impl/OnboardingClient.java
@@ -21,7 +21,8 @@
package org.openecomp.sdc.be.model.operations.impl;
import fj.data.Either;
-import org.apache.commons.io.filefilter.WildcardFileFilter;
+import java.util.Map;
+import java.util.Properties;
import org.apache.http.HttpStatus;
import org.openecomp.sdc.be.config.Configuration.OnboardingConfig;
import org.openecomp.sdc.be.config.ConfigurationManager;
@@ -30,14 +31,7 @@ import org.openecomp.sdc.common.api.Constants;
import org.openecomp.sdc.common.http.client.api.HttpRequest;
import org.openecomp.sdc.common.http.client.api.HttpResponse;
import org.openecomp.sdc.common.log.wrappers.Logger;
-import org.openecomp.sdc.common.util.ZipUtil;
-
-import java.io.File;
-import java.io.FileFilter;
-import java.io.IOException;
-import java.nio.file.Files;
-import java.util.Map;
-import java.util.Properties;
+import org.openecomp.sdc.common.zip.ZipUtils;
@org.springframework.stereotype.Component("onboarding-client")
public class OnboardingClient {
@@ -64,29 +58,6 @@ public class OnboardingClient {
}
- public Either<Map<String, byte[]>, StorageOperationStatus> getMockCsar(String csarUuid) {
- File dir = new File("/var/tmp/mockCsar");
- FileFilter fileFilter = new WildcardFileFilter("*.csar");
- File[] files = dir.listFiles(fileFilter);
- for (int i = 0; i < files.length; i++) {
- File csar = files[i];
- if (csar.getName().startsWith(csarUuid)) {
- log.debug("Found CSAR file {} matching the passed csarUuid {}", csar.getAbsolutePath(), csarUuid);
- byte[] data;
- try {
- data = Files.readAllBytes(csar.toPath());
- } catch (IOException e) {
- log.debug("Error reading mock file for CSAR, error: {}", e);
- return Either.right(StorageOperationStatus.NOT_FOUND);
- }
- Map<String, byte[]> readZip = ZipUtil.readZip(data);
- return Either.left(readZip);
- }
- }
- log.debug("Couldn't find mock file for CSAR starting with {}", csarUuid);
- return Either.right(StorageOperationStatus.NOT_FOUND);
- }
-
public Either<Map<String, byte[]>, StorageOperationStatus> getCsar(String csarUuid, String userId) {
String url = buildDownloadCsarUrl() + "/" + csarUuid;
@@ -109,7 +80,7 @@ public class OnboardingClient {
case HttpStatus.SC_OK:
byte[] data = httpResponse.getResponse();
if (data != null && data.length > 0) {
- Map<String, byte[]> readZip = ZipUtil.readZip(data);
+ Map<String, byte[]> readZip = ZipUtils.readZip(data, false);
return Either.left(readZip);
} else {
log.debug("Data received from rest is null or empty");
@@ -124,7 +95,7 @@ public class OnboardingClient {
}
}
catch(Exception e) {
- log.debug("Request failed with exception {}", e);
+ log.debug("Request failed with exception", e);
return Either.right(StorageOperationStatus.GENERAL_ERROR);
}
}
@@ -158,7 +129,7 @@ public class OnboardingClient {
}
}
catch(Exception e) {
- log.debug("Request failed with exception {}", e);
+ log.debug("Request failed with exception", e);
return Either.right(StorageOperationStatus.GENERAL_ERROR);
}
}