From bf5eeb23a769a2e2b75f432b74f10fdbcfd2f161 Mon Sep 17 00:00:00 2001 From: "andre.schmid" Date: Fri, 27 Sep 2019 13:27:11 +0100 Subject: Fix zip slip security flaw Apply zip slip checking in zip operations throughout the system. Centralizes most of the zip logic in one class. Create tests to zip functionalities and zip slip problem. Change-Id: I721f3d44b34fe6d242c9537f5a515ce1bb534c9a Issue-ID: SDC-1401 Signed-off-by: andre.schmid --- .../core/tools/exportinfo/ExportDataCommand.java | 20 ++-- .../core/tools/importinfo/ImportDataCommand.java | 5 +- .../org/openecomp/core/tools/util/ZipUtils.java | 104 --------------------- 3 files changed, 13 insertions(+), 116 deletions(-) delete mode 100644 openecomp-be/tools/zusammen-tools/src/main/java/org/openecomp/core/tools/util/ZipUtils.java (limited to 'openecomp-be/tools/zusammen-tools/src/main') diff --git a/openecomp-be/tools/zusammen-tools/src/main/java/org/openecomp/core/tools/exportinfo/ExportDataCommand.java b/openecomp-be/tools/zusammen-tools/src/main/java/org/openecomp/core/tools/exportinfo/ExportDataCommand.java index 5060f4bce2..2907d1e0cc 100644 --- a/openecomp-be/tools/zusammen-tools/src/main/java/org/openecomp/core/tools/exportinfo/ExportDataCommand.java +++ b/openecomp-be/tools/zusammen-tools/src/main/java/org/openecomp/core/tools/exportinfo/ExportDataCommand.java @@ -28,7 +28,6 @@ import com.datastax.driver.core.Session; import com.google.common.collect.Sets; import com.google.common.util.concurrent.FutureCallback; import com.google.common.util.concurrent.Futures; -import java.io.File; import java.io.IOException; import java.io.InputStream; import java.nio.file.Path; @@ -52,8 +51,9 @@ import org.openecomp.core.tools.commands.Command; import org.openecomp.core.tools.commands.CommandName; import org.openecomp.core.tools.importinfo.ImportProperties; import org.openecomp.core.tools.util.Utils; -import org.openecomp.core.tools.util.ZipUtils; import org.openecomp.core.zusammen.impl.CassandraConnectionInitializer; +import org.openecomp.sdc.common.zip.ZipUtils; +import org.openecomp.sdc.common.zip.exception.ZipException; import org.openecomp.sdc.logging.api.Logger; import org.openecomp.sdc.logging.api.LoggerFactory; import org.yaml.snakeyaml.Yaml; @@ -157,14 +157,14 @@ public final class ExportDataCommand extends Command { }, executor); } - private static void zipPath(Path rootDir) throws IOException { - LocalDateTime date = LocalDateTime.now(); - DateTimeFormatter formatter = DateTimeFormatter.ISO_LOCAL_DATE_TIME; - String dateStr = date.format(formatter); - dateStr = dateStr.replaceAll(":", "_"); - String zipFile = System.getProperty("user.home") + File.separatorChar + "onboarding_import" + dateStr + ".zip"; - ZipUtils.createZip(zipFile, rootDir); - Utils.printMessage(LOGGER, "Exported file :" + zipFile); + private static void zipPath(final Path rootDir) throws ZipException { + final LocalDateTime date = LocalDateTime.now(); + final DateTimeFormatter formatter = DateTimeFormatter.ISO_LOCAL_DATE_TIME; + final String dateStr = date.format(formatter).replace(":", "_"); + final Path zipFile = Paths.get(System.getProperty("user.home"),String.format("onboarding_import%s.zip", dateStr)); + ZipUtils.createZipFromPath(rootDir, zipFile); + Utils.printMessage(LOGGER, "Zip file was created " + zipFile.toString()); + Utils.printMessage(LOGGER, "Exported file :" + zipFile.toString()); } diff --git a/openecomp-be/tools/zusammen-tools/src/main/java/org/openecomp/core/tools/importinfo/ImportDataCommand.java b/openecomp-be/tools/zusammen-tools/src/main/java/org/openecomp/core/tools/importinfo/ImportDataCommand.java index 1f5281a66e..cff8eb98cf 100644 --- a/openecomp-be/tools/zusammen-tools/src/main/java/org/openecomp/core/tools/importinfo/ImportDataCommand.java +++ b/openecomp-be/tools/zusammen-tools/src/main/java/org/openecomp/core/tools/importinfo/ImportDataCommand.java @@ -35,8 +35,9 @@ import org.openecomp.core.tools.commands.Command; import org.openecomp.core.tools.commands.CommandName; import org.openecomp.core.tools.exportinfo.ExportDataCommand; import org.openecomp.core.tools.util.Utils; -import org.openecomp.core.tools.util.ZipUtils; import org.openecomp.core.zusammen.impl.CassandraConnectionInitializer; +import org.openecomp.sdc.common.zip.ZipUtils; +import org.openecomp.sdc.common.zip.exception.ZipException; import org.openecomp.sdc.logging.api.Logger; import org.openecomp.sdc.logging.api.LoggerFactory; @@ -66,7 +67,7 @@ public class ImportDataCommand extends Command { files.forEach(new ImportSingleTable()::importFile); } FileUtils.forceDelete(outputFolder.toFile()); // leaves directory clean - } catch (IOException e) { + } catch (final IOException | ZipException e) { Utils.logError(LOGGER, e); } return true; diff --git a/openecomp-be/tools/zusammen-tools/src/main/java/org/openecomp/core/tools/util/ZipUtils.java b/openecomp-be/tools/zusammen-tools/src/main/java/org/openecomp/core/tools/util/ZipUtils.java deleted file mode 100644 index f58f18d93c..0000000000 --- a/openecomp-be/tools/zusammen-tools/src/main/java/org/openecomp/core/tools/util/ZipUtils.java +++ /dev/null @@ -1,104 +0,0 @@ -/*- - * ============LICENSE_START======================================================= - * SDC - * ================================================================================ - * Copyright (C) 2017 - 2019 AT&T Intellectual Property. All rights reserved. - * ================================================================================ - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END========================================================= - */ - -package org.openecomp.core.tools.util; - -import com.google.common.io.ByteStreams; -import org.openecomp.sdc.logging.api.Logger; -import org.openecomp.sdc.logging.api.LoggerFactory; - -import java.io.*; -import java.nio.file.Files; -import java.nio.file.Path; -import java.nio.file.Paths; -import java.util.zip.ZipEntry; -import java.util.zip.ZipException; -import java.util.zip.ZipInputStream; -import java.util.zip.ZipOutputStream; - -public class ZipUtils { - - private static final Logger logger = LoggerFactory.getLogger(ZipUtils.class); - - private ZipUtils() { - // prevent instantiation - } - - public static void createZip(String zipFileName, Path dir) throws IOException { - File dirObj = dir.toFile(); - Path zippedFile = Files.createFile(Paths.get(zipFileName)); - try ( - FileOutputStream fileOutputStream = new FileOutputStream(File.separator + zippedFile.toFile()); - BufferedOutputStream bos = new BufferedOutputStream(fileOutputStream); - ZipOutputStream out = new ZipOutputStream(bos)) { - File[] files = dirObj.listFiles(); - for (File file : files) { - out.putNextEntry(new ZipEntry(file.getName())); - Files.copy(Paths.get(file.getPath()), out); - out.closeEntry(); - } - Utils.printMessage(logger, "Zip file was created " + zipFileName); - } - } - - public static void unzip(Path zipFile, Path outputFolder) throws IOException { - if (zipFile == null || outputFolder == null) { - return; - } - createDirectoryIfNotExists(outputFolder); - - try (FileInputStream fileInputStream = new FileInputStream(zipFile.toFile()); - ZipInputStream stream = new ZipInputStream(fileInputStream)) { - - ZipEntry entry; - while ((entry = stream.getNextEntry()) != null) { - assertEntryNotVulnerable(entry); - String fileName = entry.getName(); - File newFile = new File(outputFolder.toString() + File.separator + fileName); - if (entry.isDirectory()) { - createDirectoryIfNotExists(newFile.toPath()); - } else { - persistFile(stream, newFile); - } - } - } - - } - - private static void persistFile(ZipInputStream stream, File newFile) throws IOException { - new File(newFile.getParent()).mkdirs(); - try (FileOutputStream outputStream = new FileOutputStream(newFile)) { - ByteStreams.copy(stream, outputStream); - } - } - - private static void createDirectoryIfNotExists(Path path) throws IOException { - if (!path.toFile().exists()) { - Files.createDirectories(path); - } - } - - private static void assertEntryNotVulnerable(ZipEntry entry) throws ZipException { - if (entry.getName().contains("../")) { - throw new ZipException("Path traversal attempt discovered."); - } - } -} - -- cgit 1.2.3-korg