From 84aa83e9203d6f890cc5f425a00ac748d47c5c8f Mon Sep 17 00:00:00 2001 From: vasraz Date: Tue, 27 Jul 2021 11:19:48 +0100 Subject: Fix Security Hotspot Fix for https://sonarcloud.io/project/security_hotspots?id=onap_sdc&hotspots=AXrLK9lDm75TRpHZ3DAu Change-Id: I6427d02bb76618a4b7383e427ce9f762adf73e97 Signed-off-by: Vasyl Razinkov Issue-ID: SDC-3657 --- .../be/csar/storage/CsarPackageReducerConfiguration.java | 1 + .../openecomp/sdc/be/csar/storage/CsarSizeReducer.java | 15 +++++++++++++++ .../csar/storage/exception/CsarSizeReducerException.java | 4 ++++ 3 files changed, 20 insertions(+) (limited to 'common-be/src/main/java/org') diff --git a/common-be/src/main/java/org/openecomp/sdc/be/csar/storage/CsarPackageReducerConfiguration.java b/common-be/src/main/java/org/openecomp/sdc/be/csar/storage/CsarPackageReducerConfiguration.java index a14222ab17..08049b4215 100644 --- a/common-be/src/main/java/org/openecomp/sdc/be/csar/storage/CsarPackageReducerConfiguration.java +++ b/common-be/src/main/java/org/openecomp/sdc/be/csar/storage/CsarPackageReducerConfiguration.java @@ -29,5 +29,6 @@ public class CsarPackageReducerConfiguration implements PackageSizeReducerConfig private final Set foldersToStrip; private final long sizeLimit; + private final int thresholdEntries; } diff --git a/common-be/src/main/java/org/openecomp/sdc/be/csar/storage/CsarSizeReducer.java b/common-be/src/main/java/org/openecomp/sdc/be/csar/storage/CsarSizeReducer.java index 1fef373362..822acc0766 100644 --- a/common-be/src/main/java/org/openecomp/sdc/be/csar/storage/CsarSizeReducer.java +++ b/common-be/src/main/java/org/openecomp/sdc/be/csar/storage/CsarSizeReducer.java @@ -30,6 +30,7 @@ import java.util.List; import java.util.Set; import java.util.UUID; import java.util.concurrent.atomic.AtomicBoolean; +import java.util.concurrent.atomic.AtomicInteger; import java.util.function.Consumer; import java.util.stream.Collectors; import java.util.zip.ZipEntry; @@ -100,9 +101,16 @@ public class CsarSizeReducer implements PackageSizeReducer { } private Consumer signedZipProcessingConsumer(final Path csarPackagePath, final ZipFile zf, final ZipOutputStream zos) { + final var thresholdEntries = configuration.getThresholdEntries(); + final var totalEntryArchive = new AtomicInteger(0); return zipEntry -> { final var entryName = zipEntry.getName(); try { + if (totalEntryArchive.getAndIncrement() > thresholdEntries) { + // too much entries in this archive, can lead to inodes exhaustion of the system + final var errorMsg = String.format("Failed to extract '%s' from zip '%s'", entryName, csarPackagePath); + throw new CsarSizeReducerException(errorMsg); + } zos.putNextEntry(new ZipEntry(entryName)); if (!zipEntry.isDirectory()) { if (entryName.toLowerCase().endsWith(CSAR_EXTENSION)) { @@ -123,8 +131,15 @@ public class CsarSizeReducer implements PackageSizeReducer { } private Consumer unsignedZipProcessingConsumer(final Path csarPackagePath, final ZipFile zf, final ZipOutputStream zos) { + final var thresholdEntries = configuration.getThresholdEntries(); + final var totalEntryArchive = new AtomicInteger(0); return zipEntry -> { final var entryName = zipEntry.getName(); + if (totalEntryArchive.getAndIncrement() > thresholdEntries) { + // too much entries in this archive, can lead to inodes exhaustion of the system + final var errorMsg = String.format("Failed to extract '%s' from zip '%s'", entryName, csarPackagePath); + throw new CsarSizeReducerException(errorMsg); + } try { zos.putNextEntry(new ZipEntry(entryName)); if (!zipEntry.isDirectory()) { diff --git a/common-be/src/main/java/org/openecomp/sdc/be/csar/storage/exception/CsarSizeReducerException.java b/common-be/src/main/java/org/openecomp/sdc/be/csar/storage/exception/CsarSizeReducerException.java index f57666ac70..806a415ee8 100644 --- a/common-be/src/main/java/org/openecomp/sdc/be/csar/storage/exception/CsarSizeReducerException.java +++ b/common-be/src/main/java/org/openecomp/sdc/be/csar/storage/exception/CsarSizeReducerException.java @@ -27,4 +27,8 @@ public class CsarSizeReducerException extends BusinessException { public CsarSizeReducerException(final String message, final Throwable cause) { super(message, cause); } + + public CsarSizeReducerException(final String message) { + super(message); + } } -- cgit 1.2.3-korg