From 9056ae7b51532ef185164aefe2fccaeabed6946c Mon Sep 17 00:00:00 2001 From: "andre.schmid" Date: Mon, 4 Nov 2019 13:59:28 +0000 Subject: Fix sonarqube issues introduced by ZipSlip change Fix major and critical sonarqube issues introduced by ZipSlip change id I721f3d44b34fe6d242c9537f5a515ce1bb534c9a Change-Id: I3aa2cd4116936d715baba99a38d43aa40fd62a29 Issue-ID: SDC-1401 Signed-off-by: andre.schmid --- .../org/openecomp/sdc/common/zip/ZipUtils.java | 47 +++++++++++++--------- 1 file changed, 27 insertions(+), 20 deletions(-) (limited to 'common-app-api/src') diff --git a/common-app-api/src/main/java/org/openecomp/sdc/common/zip/ZipUtils.java b/common-app-api/src/main/java/org/openecomp/sdc/common/zip/ZipUtils.java index d90377fc88..25f85badef 100644 --- a/common-app-api/src/main/java/org/openecomp/sdc/common/zip/ZipUtils.java +++ b/common-app-api/src/main/java/org/openecomp/sdc/common/zip/ZipUtils.java @@ -75,8 +75,8 @@ public class ZipUtils { String canonicalPath = null; try { canonicalPath = file.getCanonicalPath(); - } catch (final IOException ignored) { - //ignored + } catch (final IOException ex) { + LOGGER.debug("Could not get canonical path of file '{}'", file.getPath(), ex); } if (canonicalPath != null && !canonicalPath.equals(file.getAbsolutePath())) { throw new ZipSlipException(filePath.toString()); @@ -170,26 +170,10 @@ public class ZipUtils { final Map filePathAndByteMap = new HashMap<>(); try (final ZipInputStream inputZipStream = ZipUtils.getInputStreamFromBytes(zipFileBytes)) { - byte[] fileByteContent; - String currentEntryName; ZipEntry zipEntry; while ((zipEntry = inputZipStream.getNextEntry()) != null) { - checkForZipSlipInRead(zipEntry); - currentEntryName = zipEntry.getName(); - fileByteContent = getBytes(inputZipStream); - if (zipEntry.isDirectory()) { - if (hasToIncludeDirectories) { - filePathAndByteMap.put(normalizeFolder(currentEntryName), null); - } - } else { - if (hasToIncludeDirectories) { - final Path parentFolderPath = Paths.get(zipEntry.getName()).getParent(); - if (parentFolderPath != null) { - filePathAndByteMap.putIfAbsent(normalizeFolder(parentFolderPath.toString()), null); - } - } - filePathAndByteMap.put(currentEntryName, fileByteContent); - } + filePathAndByteMap + .putAll(processZipEntryInRead(zipEntry, getBytes(inputZipStream), hasToIncludeDirectories)); } } catch (final IOException e) { LOGGER.warn("Could not close the zip input stream", e); @@ -198,6 +182,29 @@ public class ZipUtils { return filePathAndByteMap; } + private static Map processZipEntryInRead(final ZipEntry zipEntry, + final byte[] inputStreamBytes, + final boolean hasToIncludeDirectories) throws ZipException { + final Map filePathAndByteMap = new HashMap<>(); + checkForZipSlipInRead(zipEntry); + if (zipEntry.isDirectory()) { + if (hasToIncludeDirectories) { + filePathAndByteMap.put(normalizeFolder(zipEntry.getName()), null); + } + return filePathAndByteMap; + } + + if (hasToIncludeDirectories) { + final Path parentFolderPath = Paths.get(zipEntry.getName()).getParent(); + if (parentFolderPath != null) { + filePathAndByteMap.putIfAbsent(normalizeFolder(parentFolderPath.toString()), null); + } + } + filePathAndByteMap.put(zipEntry.getName(), inputStreamBytes); + + return filePathAndByteMap; + } + /** * Adds a {@link File#separator} at the end of the folder path if not present. * -- cgit 1.2.3-korg