aboutsummaryrefslogtreecommitdiffstats
path: root/openecomp-be/api
diff options
context:
space:
mode:
authoraribeiro <anderson.ribeiro@est.tech>2021-02-15 17:24:11 +0000
committerChristophe Closset <christophe.closset@intl.att.com>2021-03-16 13:27:37 +0000
commit7010ea90e14305837a30764db8a5e4bc1338e378 (patch)
tree31a674fad95261e123e1cd2348f24c11f51373c4 /openecomp-be/api
parent77680c6f9d99adcf5c6a97380043f1d86b0d46fa (diff)
Fix Security Vulnerabilities
Issue-ID: SDC-3500 Signed-off-by: aribeiro <anderson.ribeiro@est.tech> Change-Id: I3fa2ed2bc3a170d8256fbc91c98bbfbaf5c0a403
Diffstat (limited to 'openecomp-be/api')
-rw-r--r--openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/OrchestrationTemplateCandidateImpl.java10
-rw-r--r--openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/test/java/org/openecomp/sdcrests/vsp/rest/services/OrchestrationTemplateCandidateImplTest.java39
-rw-r--r--openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/test/resources/files/sample-not-signed.csarbin0 -> 24874 bytes
-rw-r--r--openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/test/resources/files/sample-signed.zipbin0 -> 23905 bytes
4 files changed, 36 insertions, 13 deletions
diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/OrchestrationTemplateCandidateImpl.java b/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/OrchestrationTemplateCandidateImpl.java
index 073400fd68..b393153ece 100644
--- a/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/OrchestrationTemplateCandidateImpl.java
+++ b/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/OrchestrationTemplateCandidateImpl.java
@@ -1,6 +1,7 @@
/*
* Copyright © 2016-2018 European Support Limited
* Copyright © 2021 Nokia
+ * Copyright © 2021 Nordix Foundation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -32,6 +33,7 @@ import java.util.Optional;
import javax.activation.DataHandler;
import javax.inject.Named;
import javax.ws.rs.core.Response;
+import javax.ws.rs.core.Response.Status;
import org.apache.commons.lang3.tuple.Pair;
import org.apache.cxf.jaxrs.ext.multipart.Attachment;
import org.openecomp.sdc.activitylog.ActivityLogManager;
@@ -39,6 +41,7 @@ import org.openecomp.sdc.activitylog.ActivityLogManagerFactory;
import org.openecomp.sdc.activitylog.dao.type.ActivityLogEntity;
import org.openecomp.sdc.activitylog.dao.type.ActivityType;
import org.openecomp.sdc.common.errors.Messages;
+import org.openecomp.sdc.common.util.ValidationUtils;
import org.openecomp.sdc.common.utils.SdcCommon;
import org.openecomp.sdc.datatypes.error.ErrorLevel;
import org.openecomp.sdc.datatypes.error.ErrorMessage;
@@ -100,13 +103,13 @@ public class OrchestrationTemplateCandidateImpl implements OrchestrationTemplate
final Attachment fileToUpload, final String user) {
final byte[] fileToUploadBytes = fileToUpload.getObject(byte[].class);
final DataHandler dataHandler = fileToUpload.getDataHandler();
- final String filename = dataHandler.getName();
+ final String filename = ValidationUtils.sanitizeInputString(dataHandler.getName());
final OnboardingPackageProcessor onboardingPackageProcessor = new OnboardingPackageProcessor(filename, fileToUploadBytes);
if (onboardingPackageProcessor.hasErrors()) {
final UploadFileResponseDto uploadFileResponseDto =
buildUploadResponseWithError(onboardingPackageProcessor.getErrorMessages().toArray(new ErrorMessage[0]));
- return Response.ok(uploadFileResponseDto).build();
+ return Response.status(Status.NOT_ACCEPTABLE).entity(uploadFileResponseDto).build();
}
final OnboardPackageInfo onboardPackageInfo = onboardingPackageProcessor.getOnboardPackageInfo().orElse(null);
@@ -117,7 +120,8 @@ public class OrchestrationTemplateCandidateImpl implements OrchestrationTemplate
return Response.ok(uploadFileResponseDto).build();
}
- final VspDetails vspDetails = new VspDetails(vspId, new Version(versionId));
+ final VspDetails vspDetails = new VspDetails(ValidationUtils.sanitizeInputString(vspId),
+ new Version(ValidationUtils.sanitizeInputString(versionId)));
return processOnboardPackage(onboardPackageInfo, vspDetails);
}
diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/test/java/org/openecomp/sdcrests/vsp/rest/services/OrchestrationTemplateCandidateImplTest.java b/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/test/java/org/openecomp/sdcrests/vsp/rest/services/OrchestrationTemplateCandidateImplTest.java
index dec6342cb8..41891dea74 100644
--- a/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/test/java/org/openecomp/sdcrests/vsp/rest/services/OrchestrationTemplateCandidateImplTest.java
+++ b/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/test/java/org/openecomp/sdcrests/vsp/rest/services/OrchestrationTemplateCandidateImplTest.java
@@ -22,16 +22,21 @@ package org.openecomp.sdcrests.vsp.rest.services;
import static junit.framework.TestCase.assertEquals;
import static junit.framework.TestCase.assertFalse;
+import static org.junit.Assert.assertTrue;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.MockitoAnnotations.initMocks;
import static org.mockito.Mockito.when;
import java.io.IOException;
+import java.net.URL;
import java.util.Arrays;
+import java.util.Objects;
import java.util.Optional;
import java.util.UUID;
import javax.activation.DataHandler;
import javax.ws.rs.core.Response;
+import javax.ws.rs.core.Response.Status;
+import org.apache.commons.io.IOUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apache.cxf.jaxrs.ext.multipart.Attachment;
import org.apache.cxf.jaxrs.ext.multipart.ContentDisposition;
@@ -135,32 +140,46 @@ public class OrchestrationTemplateCandidateImplTest {
@Test
public void uploadSignedTest() {
- Response response = orchestrationTemplateCandidate.upload("1", "1", mockAttachment("filename.zip"), "1");
- assertEquals(Response.Status.OK.getStatusCode(), response.getStatus());
+ Response response = orchestrationTemplateCandidate
+ .upload("1", "1", mockAttachment("filename.zip", this.getClass().getResource("/files/sample-signed.zip")),
+ "1");
+ assertEquals(Status.OK.getStatusCode(), response.getStatus());
+ assertTrue(((UploadFileResponseDto) response.getEntity()).getErrors().isEmpty());
}
@Test
- public void uploadNotSignedTest(){
- Response response = orchestrationTemplateCandidate.upload("1", "1", mockAttachment("filename.csar"), "1");
- assertEquals(Response.Status.OK.getStatusCode(), response.getStatus());
+ public void uploadNotSignedTest() {
+ Response response = orchestrationTemplateCandidate.upload("1", "1",
+ mockAttachment("filename.csar", this.getClass().getResource("/files/sample-not-signed.csar")), "1");
+ assertEquals(Status.OK.getStatusCode(), response.getStatus());
+ assertTrue(((UploadFileResponseDto) response.getEntity()).getErrors().isEmpty());
}
- private Attachment mockAttachment(final String fileName) {
+ private Attachment mockAttachment(final String fileName, final URL fileToUpload) {
final Attachment attachment = Mockito.mock(Attachment.class);
when(attachment.getContentDisposition()).thenReturn(new ContentDisposition("test"));
final DataHandler dataHandler = Mockito.mock(DataHandler.class);
when(dataHandler.getName()).thenReturn(fileName);
when(attachment.getDataHandler()).thenReturn(dataHandler);
- final byte[] bytes = "upload package Test".getBytes();
+ byte[] bytes = "upload package Test".getBytes();
+ if (Objects.nonNull(fileToUpload)) {
+ try {
+ bytes = IOUtils.toByteArray(fileToUpload);
+ } catch (final IOException e) {
+ logger.error("unexpected exception", e);
+ Assert.fail("Not able to convert file to byte array");
+ }
+ }
when(attachment.getObject(ArgumentMatchers.any())).thenReturn(bytes);
return attachment;
}
@Test
public void uploadSignNotValidTest() {
- Response response = orchestrationTemplateCandidate.upload("1", "1", mockAttachment("filename.zip"), "1");
- assertEquals(Response.Status.OK.getStatusCode(), response.getStatus());
- assertFalse(((UploadFileResponseDto)response.getEntity()).getErrors().isEmpty());
+ Response response = orchestrationTemplateCandidate
+ .upload("1", "1", mockAttachment("filename.zip", null), "1");
+ assertEquals(Status.NOT_ACCEPTABLE.getStatusCode(), response.getStatus());
+ assertFalse(((UploadFileResponseDto) response.getEntity()).getErrors().isEmpty());
}
@Test
diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/test/resources/files/sample-not-signed.csar b/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/test/resources/files/sample-not-signed.csar
new file mode 100644
index 0000000000..e4e60b26d1
--- /dev/null
+++ b/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/test/resources/files/sample-not-signed.csar
Binary files differ
diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/test/resources/files/sample-signed.zip b/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/test/resources/files/sample-signed.zip
new file mode 100644
index 0000000000..fecb45aaaf
--- /dev/null
+++ b/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/test/resources/files/sample-signed.zip
Binary files differ