From bf5eeb23a769a2e2b75f432b74f10fdbcfd2f161 Mon Sep 17 00:00:00 2001 From: "andre.schmid" Date: Fri, 27 Sep 2019 13:27:11 +0100 Subject: Fix zip slip security flaw Apply zip slip checking in zip operations throughout the system. Centralizes most of the zip logic in one class. Create tests to zip functionalities and zip slip problem. Change-Id: I721f3d44b34fe6d242c9537f5a515ce1bb534c9a Issue-ID: SDC-1401 Signed-off-by: andre.schmid --- .../be/model/operations/impl/CsarOperation.java | 29 --------------- .../be/model/operations/impl/OnboardingClient.java | 41 ++++------------------ 2 files changed, 6 insertions(+), 64 deletions(-) (limited to 'catalog-model') diff --git a/catalog-model/src/main/java/org/openecomp/sdc/be/model/operations/impl/CsarOperation.java b/catalog-model/src/main/java/org/openecomp/sdc/be/model/operations/impl/CsarOperation.java index 9ae2f252c9..af8a68f410 100644 --- a/catalog-model/src/main/java/org/openecomp/sdc/be/model/operations/impl/CsarOperation.java +++ b/catalog-model/src/main/java/org/openecomp/sdc/be/model/operations/impl/CsarOperation.java @@ -25,17 +25,11 @@ import com.google.gson.JsonArray; import com.google.gson.JsonElement; import com.google.gson.JsonParser; import fj.data.Either; -import org.apache.commons.io.filefilter.WildcardFileFilter; import org.openecomp.sdc.be.model.User; import org.openecomp.sdc.be.model.operations.api.StorageOperationStatus; import org.openecomp.sdc.common.log.wrappers.Logger; -import org.openecomp.sdc.common.util.ZipUtil; import javax.annotation.PostConstruct; -import java.io.File; -import java.io.FileFilter; -import java.io.IOException; -import java.nio.file.Files; import java.util.Map; @org.springframework.stereotype.Component("csar-operation") @@ -62,29 +56,6 @@ public class CsarOperation { } - public Either, StorageOperationStatus> getMockCsar(String csarUuid) { - File dir = new File("/var/tmp/mockCsar"); - FileFilter fileFilter = new WildcardFileFilter("*.csar"); - File[] files = dir.listFiles(fileFilter); - for (int i = 0; i < files.length; i++) { - File csar = files[i]; - if (csar.getName().startsWith(csarUuid)) { - log.debug("Found CSAR file {} matching the passed csarUuid {}", csar.getAbsolutePath(), csarUuid); - byte[] data; - try { - data = Files.readAllBytes(csar.toPath()); - } catch (IOException e) { - log.debug("Error reading mock file for CSAR, error: {}", e); - return Either.right(StorageOperationStatus.NOT_FOUND); - } - Map readZip = ZipUtil.readZip(data); - return Either.left(readZip); - } - } - log.debug("Couldn't find mock file for CSAR starting with {}", csarUuid); - return Either.right(StorageOperationStatus.CSAR_NOT_FOUND); - } - /** * get csar from remote repository * diff --git a/catalog-model/src/main/java/org/openecomp/sdc/be/model/operations/impl/OnboardingClient.java b/catalog-model/src/main/java/org/openecomp/sdc/be/model/operations/impl/OnboardingClient.java index 8e1ee19358..ed0b43e38e 100644 --- a/catalog-model/src/main/java/org/openecomp/sdc/be/model/operations/impl/OnboardingClient.java +++ b/catalog-model/src/main/java/org/openecomp/sdc/be/model/operations/impl/OnboardingClient.java @@ -21,7 +21,8 @@ package org.openecomp.sdc.be.model.operations.impl; import fj.data.Either; -import org.apache.commons.io.filefilter.WildcardFileFilter; +import java.util.Map; +import java.util.Properties; import org.apache.http.HttpStatus; import org.openecomp.sdc.be.config.Configuration.OnboardingConfig; import org.openecomp.sdc.be.config.ConfigurationManager; @@ -30,14 +31,7 @@ import org.openecomp.sdc.common.api.Constants; import org.openecomp.sdc.common.http.client.api.HttpRequest; import org.openecomp.sdc.common.http.client.api.HttpResponse; import org.openecomp.sdc.common.log.wrappers.Logger; -import org.openecomp.sdc.common.util.ZipUtil; - -import java.io.File; -import java.io.FileFilter; -import java.io.IOException; -import java.nio.file.Files; -import java.util.Map; -import java.util.Properties; +import org.openecomp.sdc.common.zip.ZipUtils; @org.springframework.stereotype.Component("onboarding-client") public class OnboardingClient { @@ -64,29 +58,6 @@ public class OnboardingClient { } - public Either, StorageOperationStatus> getMockCsar(String csarUuid) { - File dir = new File("/var/tmp/mockCsar"); - FileFilter fileFilter = new WildcardFileFilter("*.csar"); - File[] files = dir.listFiles(fileFilter); - for (int i = 0; i < files.length; i++) { - File csar = files[i]; - if (csar.getName().startsWith(csarUuid)) { - log.debug("Found CSAR file {} matching the passed csarUuid {}", csar.getAbsolutePath(), csarUuid); - byte[] data; - try { - data = Files.readAllBytes(csar.toPath()); - } catch (IOException e) { - log.debug("Error reading mock file for CSAR, error: {}", e); - return Either.right(StorageOperationStatus.NOT_FOUND); - } - Map readZip = ZipUtil.readZip(data); - return Either.left(readZip); - } - } - log.debug("Couldn't find mock file for CSAR starting with {}", csarUuid); - return Either.right(StorageOperationStatus.NOT_FOUND); - } - public Either, StorageOperationStatus> getCsar(String csarUuid, String userId) { String url = buildDownloadCsarUrl() + "/" + csarUuid; @@ -109,7 +80,7 @@ public class OnboardingClient { case HttpStatus.SC_OK: byte[] data = httpResponse.getResponse(); if (data != null && data.length > 0) { - Map readZip = ZipUtil.readZip(data); + Map readZip = ZipUtils.readZip(data, false); return Either.left(readZip); } else { log.debug("Data received from rest is null or empty"); @@ -124,7 +95,7 @@ public class OnboardingClient { } } catch(Exception e) { - log.debug("Request failed with exception {}", e); + log.debug("Request failed with exception", e); return Either.right(StorageOperationStatus.GENERAL_ERROR); } } @@ -158,7 +129,7 @@ public class OnboardingClient { } } catch(Exception e) { - log.debug("Request failed with exception {}", e); + log.debug("Request failed with exception", e); return Either.right(StorageOperationStatus.GENERAL_ERROR); } } -- cgit 1.2.3-korg