diff options
author | andre.schmid <andre.schmid@est.tech> | 2019-09-27 13:27:11 +0100 |
---|---|---|
committer | Ofir Sonsino <ofir.sonsino@intl.att.com> | 2019-10-30 09:47:54 +0000 |
commit | bf5eeb23a769a2e2b75f432b74f10fdbcfd2f161 (patch) | |
tree | fa27998ee6efef6f7651315cbf71271130fca025 /catalog-model | |
parent | 19773b769c6762a12876064c70a34cc31d2b12da (diff) |
Fix zip slip security flaw
Apply zip slip checking in zip operations throughout the system.
Centralizes most of the zip logic in one class. Create tests to zip
functionalities and zip slip problem.
Change-Id: I721f3d44b34fe6d242c9537f5a515ce1bb534c9a
Issue-ID: SDC-1401
Signed-off-by: andre.schmid <andre.schmid@est.tech>
Diffstat (limited to 'catalog-model')
2 files changed, 6 insertions, 64 deletions
diff --git a/catalog-model/src/main/java/org/openecomp/sdc/be/model/operations/impl/CsarOperation.java b/catalog-model/src/main/java/org/openecomp/sdc/be/model/operations/impl/CsarOperation.java index 9ae2f252c9..af8a68f410 100644 --- a/catalog-model/src/main/java/org/openecomp/sdc/be/model/operations/impl/CsarOperation.java +++ b/catalog-model/src/main/java/org/openecomp/sdc/be/model/operations/impl/CsarOperation.java @@ -25,17 +25,11 @@ import com.google.gson.JsonArray; import com.google.gson.JsonElement; import com.google.gson.JsonParser; import fj.data.Either; -import org.apache.commons.io.filefilter.WildcardFileFilter; import org.openecomp.sdc.be.model.User; import org.openecomp.sdc.be.model.operations.api.StorageOperationStatus; import org.openecomp.sdc.common.log.wrappers.Logger; -import org.openecomp.sdc.common.util.ZipUtil; import javax.annotation.PostConstruct; -import java.io.File; -import java.io.FileFilter; -import java.io.IOException; -import java.nio.file.Files; import java.util.Map; @org.springframework.stereotype.Component("csar-operation") @@ -62,29 +56,6 @@ public class CsarOperation { } - public Either<Map<String, byte[]>, StorageOperationStatus> getMockCsar(String csarUuid) { - File dir = new File("/var/tmp/mockCsar"); - FileFilter fileFilter = new WildcardFileFilter("*.csar"); - File[] files = dir.listFiles(fileFilter); - for (int i = 0; i < files.length; i++) { - File csar = files[i]; - if (csar.getName().startsWith(csarUuid)) { - log.debug("Found CSAR file {} matching the passed csarUuid {}", csar.getAbsolutePath(), csarUuid); - byte[] data; - try { - data = Files.readAllBytes(csar.toPath()); - } catch (IOException e) { - log.debug("Error reading mock file for CSAR, error: {}", e); - return Either.right(StorageOperationStatus.NOT_FOUND); - } - Map<String, byte[]> readZip = ZipUtil.readZip(data); - return Either.left(readZip); - } - } - log.debug("Couldn't find mock file for CSAR starting with {}", csarUuid); - return Either.right(StorageOperationStatus.CSAR_NOT_FOUND); - } - /** * get csar from remote repository * diff --git a/catalog-model/src/main/java/org/openecomp/sdc/be/model/operations/impl/OnboardingClient.java b/catalog-model/src/main/java/org/openecomp/sdc/be/model/operations/impl/OnboardingClient.java index 8e1ee19358..ed0b43e38e 100644 --- a/catalog-model/src/main/java/org/openecomp/sdc/be/model/operations/impl/OnboardingClient.java +++ b/catalog-model/src/main/java/org/openecomp/sdc/be/model/operations/impl/OnboardingClient.java @@ -21,7 +21,8 @@ package org.openecomp.sdc.be.model.operations.impl; import fj.data.Either; -import org.apache.commons.io.filefilter.WildcardFileFilter; +import java.util.Map; +import java.util.Properties; import org.apache.http.HttpStatus; import org.openecomp.sdc.be.config.Configuration.OnboardingConfig; import org.openecomp.sdc.be.config.ConfigurationManager; @@ -30,14 +31,7 @@ import org.openecomp.sdc.common.api.Constants; import org.openecomp.sdc.common.http.client.api.HttpRequest; import org.openecomp.sdc.common.http.client.api.HttpResponse; import org.openecomp.sdc.common.log.wrappers.Logger; -import org.openecomp.sdc.common.util.ZipUtil; - -import java.io.File; -import java.io.FileFilter; -import java.io.IOException; -import java.nio.file.Files; -import java.util.Map; -import java.util.Properties; +import org.openecomp.sdc.common.zip.ZipUtils; @org.springframework.stereotype.Component("onboarding-client") public class OnboardingClient { @@ -64,29 +58,6 @@ public class OnboardingClient { } - public Either<Map<String, byte[]>, StorageOperationStatus> getMockCsar(String csarUuid) { - File dir = new File("/var/tmp/mockCsar"); - FileFilter fileFilter = new WildcardFileFilter("*.csar"); - File[] files = dir.listFiles(fileFilter); - for (int i = 0; i < files.length; i++) { - File csar = files[i]; - if (csar.getName().startsWith(csarUuid)) { - log.debug("Found CSAR file {} matching the passed csarUuid {}", csar.getAbsolutePath(), csarUuid); - byte[] data; - try { - data = Files.readAllBytes(csar.toPath()); - } catch (IOException e) { - log.debug("Error reading mock file for CSAR, error: {}", e); - return Either.right(StorageOperationStatus.NOT_FOUND); - } - Map<String, byte[]> readZip = ZipUtil.readZip(data); - return Either.left(readZip); - } - } - log.debug("Couldn't find mock file for CSAR starting with {}", csarUuid); - return Either.right(StorageOperationStatus.NOT_FOUND); - } - public Either<Map<String, byte[]>, StorageOperationStatus> getCsar(String csarUuid, String userId) { String url = buildDownloadCsarUrl() + "/" + csarUuid; @@ -109,7 +80,7 @@ public class OnboardingClient { case HttpStatus.SC_OK: byte[] data = httpResponse.getResponse(); if (data != null && data.length > 0) { - Map<String, byte[]> readZip = ZipUtil.readZip(data); + Map<String, byte[]> readZip = ZipUtils.readZip(data, false); return Either.left(readZip); } else { log.debug("Data received from rest is null or empty"); @@ -124,7 +95,7 @@ public class OnboardingClient { } } catch(Exception e) { - log.debug("Request failed with exception {}", e); + log.debug("Request failed with exception", e); return Either.right(StorageOperationStatus.GENERAL_ERROR); } } @@ -158,7 +129,7 @@ public class OnboardingClient { } } catch(Exception e) { - log.debug("Request failed with exception {}", e); + log.debug("Request failed with exception", e); return Either.right(StorageOperationStatus.GENERAL_ERROR); } } |