From 7010ea90e14305837a30764db8a5e4bc1338e378 Mon Sep 17 00:00:00 2001 From: aribeiro Date: Mon, 15 Feb 2021 17:24:11 +0000 Subject: Fix Security Vulnerabilities Issue-ID: SDC-3500 Signed-off-by: aribeiro Change-Id: I3fa2ed2bc3a170d8256fbc91c98bbfbaf5c0a403 --- .../OrchestrationTemplateCandidateImpl.java | 10 ++++-- .../OrchestrationTemplateCandidateImplTest.java | 39 +++++++++++++++------ .../test/resources/files/sample-not-signed.csar | Bin 0 -> 24874 bytes .../src/test/resources/files/sample-signed.zip | Bin 0 -> 23905 bytes 4 files changed, 36 insertions(+), 13 deletions(-) create mode 100644 openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/test/resources/files/sample-not-signed.csar create mode 100644 openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/test/resources/files/sample-signed.zip (limited to 'openecomp-be/api') diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/OrchestrationTemplateCandidateImpl.java b/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/OrchestrationTemplateCandidateImpl.java index 073400fd68..b393153ece 100644 --- a/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/OrchestrationTemplateCandidateImpl.java +++ b/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/main/java/org/openecomp/sdcrests/vsp/rest/services/OrchestrationTemplateCandidateImpl.java @@ -1,6 +1,7 @@ /* * Copyright © 2016-2018 European Support Limited * Copyright © 2021 Nokia + * Copyright © 2021 Nordix Foundation * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -32,6 +33,7 @@ import java.util.Optional; import javax.activation.DataHandler; import javax.inject.Named; import javax.ws.rs.core.Response; +import javax.ws.rs.core.Response.Status; import org.apache.commons.lang3.tuple.Pair; import org.apache.cxf.jaxrs.ext.multipart.Attachment; import org.openecomp.sdc.activitylog.ActivityLogManager; @@ -39,6 +41,7 @@ import org.openecomp.sdc.activitylog.ActivityLogManagerFactory; import org.openecomp.sdc.activitylog.dao.type.ActivityLogEntity; import org.openecomp.sdc.activitylog.dao.type.ActivityType; import org.openecomp.sdc.common.errors.Messages; +import org.openecomp.sdc.common.util.ValidationUtils; import org.openecomp.sdc.common.utils.SdcCommon; import org.openecomp.sdc.datatypes.error.ErrorLevel; import org.openecomp.sdc.datatypes.error.ErrorMessage; @@ -100,13 +103,13 @@ public class OrchestrationTemplateCandidateImpl implements OrchestrationTemplate final Attachment fileToUpload, final String user) { final byte[] fileToUploadBytes = fileToUpload.getObject(byte[].class); final DataHandler dataHandler = fileToUpload.getDataHandler(); - final String filename = dataHandler.getName(); + final String filename = ValidationUtils.sanitizeInputString(dataHandler.getName()); final OnboardingPackageProcessor onboardingPackageProcessor = new OnboardingPackageProcessor(filename, fileToUploadBytes); if (onboardingPackageProcessor.hasErrors()) { final UploadFileResponseDto uploadFileResponseDto = buildUploadResponseWithError(onboardingPackageProcessor.getErrorMessages().toArray(new ErrorMessage[0])); - return Response.ok(uploadFileResponseDto).build(); + return Response.status(Status.NOT_ACCEPTABLE).entity(uploadFileResponseDto).build(); } final OnboardPackageInfo onboardPackageInfo = onboardingPackageProcessor.getOnboardPackageInfo().orElse(null); @@ -117,7 +120,8 @@ public class OrchestrationTemplateCandidateImpl implements OrchestrationTemplate return Response.ok(uploadFileResponseDto).build(); } - final VspDetails vspDetails = new VspDetails(vspId, new Version(versionId)); + final VspDetails vspDetails = new VspDetails(ValidationUtils.sanitizeInputString(vspId), + new Version(ValidationUtils.sanitizeInputString(versionId))); return processOnboardPackage(onboardPackageInfo, vspDetails); } diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/test/java/org/openecomp/sdcrests/vsp/rest/services/OrchestrationTemplateCandidateImplTest.java b/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/test/java/org/openecomp/sdcrests/vsp/rest/services/OrchestrationTemplateCandidateImplTest.java index dec6342cb8..41891dea74 100644 --- a/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/test/java/org/openecomp/sdcrests/vsp/rest/services/OrchestrationTemplateCandidateImplTest.java +++ b/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/test/java/org/openecomp/sdcrests/vsp/rest/services/OrchestrationTemplateCandidateImplTest.java @@ -22,16 +22,21 @@ package org.openecomp.sdcrests.vsp.rest.services; import static junit.framework.TestCase.assertEquals; import static junit.framework.TestCase.assertFalse; +import static org.junit.Assert.assertTrue; import static org.mockito.ArgumentMatchers.any; import static org.mockito.MockitoAnnotations.initMocks; import static org.mockito.Mockito.when; import java.io.IOException; +import java.net.URL; import java.util.Arrays; +import java.util.Objects; import java.util.Optional; import java.util.UUID; import javax.activation.DataHandler; import javax.ws.rs.core.Response; +import javax.ws.rs.core.Response.Status; +import org.apache.commons.io.IOUtils; import org.apache.commons.lang3.tuple.Pair; import org.apache.cxf.jaxrs.ext.multipart.Attachment; import org.apache.cxf.jaxrs.ext.multipart.ContentDisposition; @@ -135,32 +140,46 @@ public class OrchestrationTemplateCandidateImplTest { @Test public void uploadSignedTest() { - Response response = orchestrationTemplateCandidate.upload("1", "1", mockAttachment("filename.zip"), "1"); - assertEquals(Response.Status.OK.getStatusCode(), response.getStatus()); + Response response = orchestrationTemplateCandidate + .upload("1", "1", mockAttachment("filename.zip", this.getClass().getResource("/files/sample-signed.zip")), + "1"); + assertEquals(Status.OK.getStatusCode(), response.getStatus()); + assertTrue(((UploadFileResponseDto) response.getEntity()).getErrors().isEmpty()); } @Test - public void uploadNotSignedTest(){ - Response response = orchestrationTemplateCandidate.upload("1", "1", mockAttachment("filename.csar"), "1"); - assertEquals(Response.Status.OK.getStatusCode(), response.getStatus()); + public void uploadNotSignedTest() { + Response response = orchestrationTemplateCandidate.upload("1", "1", + mockAttachment("filename.csar", this.getClass().getResource("/files/sample-not-signed.csar")), "1"); + assertEquals(Status.OK.getStatusCode(), response.getStatus()); + assertTrue(((UploadFileResponseDto) response.getEntity()).getErrors().isEmpty()); } - private Attachment mockAttachment(final String fileName) { + private Attachment mockAttachment(final String fileName, final URL fileToUpload) { final Attachment attachment = Mockito.mock(Attachment.class); when(attachment.getContentDisposition()).thenReturn(new ContentDisposition("test")); final DataHandler dataHandler = Mockito.mock(DataHandler.class); when(dataHandler.getName()).thenReturn(fileName); when(attachment.getDataHandler()).thenReturn(dataHandler); - final byte[] bytes = "upload package Test".getBytes(); + byte[] bytes = "upload package Test".getBytes(); + if (Objects.nonNull(fileToUpload)) { + try { + bytes = IOUtils.toByteArray(fileToUpload); + } catch (final IOException e) { + logger.error("unexpected exception", e); + Assert.fail("Not able to convert file to byte array"); + } + } when(attachment.getObject(ArgumentMatchers.any())).thenReturn(bytes); return attachment; } @Test public void uploadSignNotValidTest() { - Response response = orchestrationTemplateCandidate.upload("1", "1", mockAttachment("filename.zip"), "1"); - assertEquals(Response.Status.OK.getStatusCode(), response.getStatus()); - assertFalse(((UploadFileResponseDto)response.getEntity()).getErrors().isEmpty()); + Response response = orchestrationTemplateCandidate + .upload("1", "1", mockAttachment("filename.zip", null), "1"); + assertEquals(Status.NOT_ACCEPTABLE.getStatusCode(), response.getStatus()); + assertFalse(((UploadFileResponseDto) response.getEntity()).getErrors().isEmpty()); } @Test diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/test/resources/files/sample-not-signed.csar b/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/test/resources/files/sample-not-signed.csar new file mode 100644 index 0000000000..e4e60b26d1 Binary files /dev/null and b/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/test/resources/files/sample-not-signed.csar differ diff --git a/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/test/resources/files/sample-signed.zip b/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/test/resources/files/sample-signed.zip new file mode 100644 index 0000000000..fecb45aaaf Binary files /dev/null and b/openecomp-be/api/openecomp-sdc-rest-webapp/vendor-software-products-rest/vendor-software-products-rest-services/src/test/resources/files/sample-signed.zip differ -- cgit 1.2.3-korg