aboutsummaryrefslogtreecommitdiffstats
path: root/asdc-controller
diff options
context:
space:
mode:
authorSmokowski, Steve (ss835w) <ss835w@us.att.com>2018-12-05 08:30:51 -0500
committerSmokowski, Steve (ss835w) <ss835w@us.att.com>2018-12-05 08:30:51 -0500
commit2bb9251043b543bb5005b7cf9af6ac4f58a0f733 (patch)
tree1d2667f823e552fa81e6287febfad0ba5c17269a /asdc-controller
parent9a3841eadc588c3b3f50f2351b741edd139ca13c (diff)
Resolve Security Exploits
normalize all file paths before using them Change-Id: I67aaa00d7218b95dde96f3679efe92c3c0cd33f9 Issue-ID: SO-1275 Signed-off-by: Smokowski, Steve (ss835w) <ss835w@us.att.com>
Diffstat (limited to 'asdc-controller')
-rw-r--r--asdc-controller/src/main/java/org/onap/so/asdc/client/ASDCController.java3
-rw-r--r--asdc-controller/src/main/java/org/onap/so/asdc/installer/ToscaResourceStructure.java3
-rw-r--r--asdc-controller/src/main/java/org/onap/so/asdc/installer/bpmn/BpmnInstaller.java34
3 files changed, 23 insertions, 17 deletions
diff --git a/asdc-controller/src/main/java/org/onap/so/asdc/client/ASDCController.java b/asdc-controller/src/main/java/org/onap/so/asdc/client/ASDCController.java
index 03212478cd..9a1392bdca 100644
--- a/asdc-controller/src/main/java/org/onap/so/asdc/client/ASDCController.java
+++ b/asdc-controller/src/main/java/org/onap/so/asdc/client/ASDCController.java
@@ -26,6 +26,7 @@ import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
+import java.nio.file.Paths;
import java.util.List;
import org.onap.sdc.api.IDistributionClient;
@@ -355,7 +356,7 @@ public class ASDCController {
+ artifact.getArtifactUUID ()
+ ")");
- String filePath = System.getProperty("mso.config.path") + "/ASDC" + "/" + artifact.getArtifactVersion() + "/" + artifact.getArtifactName();
+ String filePath = Paths.get(System.getProperty("mso.config.path"), "ASDC", artifact.getArtifactVersion(), artifact.getArtifactName()).normalize().toString();
// make parent directory
File file = new File(filePath);
File fileParent = file.getParentFile();
diff --git a/asdc-controller/src/main/java/org/onap/so/asdc/installer/ToscaResourceStructure.java b/asdc-controller/src/main/java/org/onap/so/asdc/installer/ToscaResourceStructure.java
index 030035157d..72aa3c7f5b 100644
--- a/asdc-controller/src/main/java/org/onap/so/asdc/installer/ToscaResourceStructure.java
+++ b/asdc-controller/src/main/java/org/onap/so/asdc/installer/ToscaResourceStructure.java
@@ -21,6 +21,7 @@
package org.onap.so.asdc.installer;
import java.io.File;
+import java.nio.file.Paths;
import java.util.List;
import org.onap.sdc.api.notification.IArtifactInfo;
@@ -126,7 +127,7 @@ public class ToscaResourceStructure {
LOGGER.debug("MSO config path is: " + System.getProperty("mso.config.path"));
- String filePath = System.getProperty("mso.config.path") + "/ASDC/" + artifact.getArtifactVersion() + "/" + artifact.getArtifactName();
+ String filePath = Paths.get(System.getProperty("mso.config.path"), "ASDC", artifact.getArtifactVersion(), artifact.getArtifactName()).normalize().toString();
File spoolFile = new File(filePath);
diff --git a/asdc-controller/src/main/java/org/onap/so/asdc/installer/bpmn/BpmnInstaller.java b/asdc-controller/src/main/java/org/onap/so/asdc/installer/bpmn/BpmnInstaller.java
index f5215e9f1f..e4a4c7cdfb 100644
--- a/asdc-controller/src/main/java/org/onap/so/asdc/installer/bpmn/BpmnInstaller.java
+++ b/asdc-controller/src/main/java/org/onap/so/asdc/installer/bpmn/BpmnInstaller.java
@@ -20,10 +20,15 @@
package org.onap.so.asdc.installer.bpmn;
-import java.io.*;
+import java.io.BufferedOutputStream;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.net.URI;
import java.nio.file.Path;
import java.nio.file.Paths;
-import java.util.zip.*;
+import java.util.zip.ZipEntry;
+import java.util.zip.ZipInputStream;
import org.apache.commons.io.IOUtils;
import org.apache.http.HttpEntity;
@@ -32,14 +37,13 @@ import org.apache.http.client.HttpClient;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.entity.ContentType;
-import org.apache.http.impl.client.HttpClientBuilder;
-
-import org.onap.so.logger.MessageEnum;
-import org.onap.so.logger.MsoLogger;
+import org.apache.http.entity.mime.FormBodyPartBuilder;
import org.apache.http.entity.mime.MultipartEntityBuilder;
import org.apache.http.entity.mime.content.ByteArrayBody;
import org.apache.http.entity.mime.content.StringBody;
-import org.apache.http.entity.mime.FormBodyPartBuilder;
+import org.apache.http.impl.client.HttpClientBuilder;
+import org.onap.so.logger.MessageEnum;
+import org.onap.so.logger.MsoLogger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.core.env.Environment;
import org.springframework.stereotype.Component;
@@ -57,7 +61,7 @@ public class BpmnInstaller {
public void installBpmn(String csarFilePath) {
LOGGER.info("Deploying BPMN files from " + csarFilePath);
try {
- ZipInputStream csarFile = new ZipInputStream(new FileInputStream(csarFilePath));
+ ZipInputStream csarFile = new ZipInputStream(new FileInputStream(Paths.get(csarFilePath).normalize().toString()));
ZipEntry entry = csarFile.getNextEntry();
while (entry != null) {
@@ -101,28 +105,28 @@ public class BpmnInstaller {
csarFilePath,
"",
"",
- ex.getMessage(), "", "", MsoLogger.ErrorCode.DataError, "ASDC reading CSAR with workflows failed");
+ ex.getMessage(), "", "", MsoLogger.ErrorCode.DataError, "ASDC reading CSAR with workflows failed");
}
return;
}
- protected HttpResponse sendDeploymentRequest(String bpmnFileName) throws Exception {
+ protected HttpResponse sendDeploymentRequest(String bpmnFileName) throws Exception {
HttpClient client = HttpClientBuilder.create().build();
- String deploymentUri = this.env.getProperty(CAMUNDA_URL) + CREATE_DEPLOYMENT_PATH;
+ URI deploymentUri = new URI(this.env.getProperty(CAMUNDA_URL) + CREATE_DEPLOYMENT_PATH);
HttpPost post = new HttpPost(deploymentUri);
RequestConfig requestConfig =
RequestConfig.custom().setSocketTimeout(1000000).setConnectTimeout(1000).setConnectionRequestTimeout(1000).build();
post.setConfig(requestConfig);
- HttpEntity requestEntity = buildMimeMultipart(bpmnFileName);
+ HttpEntity requestEntity = buildMimeMultipart(bpmnFileName);
post.setEntity(requestEntity);
return client.execute(post);
}
protected HttpEntity buildMimeMultipart(String bpmnFileName) throws Exception {
- FileInputStream bpmnFileStream = new FileInputStream (System.getProperty("mso.config.path") + "/ASDC" + "/" + bpmnFileName);
+ FileInputStream bpmnFileStream = new FileInputStream (Paths.get(System.getProperty("mso.config.path"),"ASDC", bpmnFileName).normalize().toString());
byte[] bytesToSend = IOUtils.toByteArray(bpmnFileStream);
- HttpEntity requestEntity = MultipartEntityBuilder.create()
+ HttpEntity requestEntity = MultipartEntityBuilder.create()
.addPart(FormBodyPartBuilder.create()
.setName("deployment-name")
.setBody(new StringBody("MSO Sample 1", ContentType.TEXT_PLAIN))
@@ -155,7 +159,7 @@ public class BpmnInstaller {
}
protected void extractBpmnFileFromCsar(ZipInputStream zipIn, String fileName) throws IOException {
- String filePath = System.getProperty("mso.config.path") + "/ASDC" + "/" + fileName;
+ String filePath = Paths.get(System.getProperty("mso.config.path"), "ASDC", fileName).normalize().toString();
BufferedOutputStream outputStream = new BufferedOutputStream(new FileOutputStream(filePath));
byte[] bytesIn = new byte[4096];
int read = 0;