From 2bb9251043b543bb5005b7cf9af6ac4f58a0f733 Mon Sep 17 00:00:00 2001
From: "Smokowski, Steve (ss835w)" <ss835w@us.att.com>
Date: Wed, 5 Dec 2018 08:30:51 -0500
Subject: Resolve Security Exploits

normalize all file paths before using them

Change-Id: I67aaa00d7218b95dde96f3679efe92c3c0cd33f9
Issue-ID: SO-1275
Signed-off-by: Smokowski, Steve (ss835w) <ss835w@us.att.com>
---
 .../java/db/migration/R__CloudConfigMigration.java |  7 +++--
 .../org/onap/so/asdc/client/ASDCController.java    |  3 +-
 .../so/asdc/installer/ToscaResourceStructure.java  |  3 +-
 .../onap/so/asdc/installer/bpmn/BpmnInstaller.java | 34 ++++++++++++----------
 .../common/resource/ResourceRequestBuilder.java    |  3 +-
 .../java/org/onap/so/client/RestClientSSL.java     |  3 +-
 6 files changed, 32 insertions(+), 21 deletions(-)

diff --git a/adapters/mso-openstack-adapters/src/main/java/db/migration/R__CloudConfigMigration.java b/adapters/mso-openstack-adapters/src/main/java/db/migration/R__CloudConfigMigration.java
index 10dbbf1396..6339616803 100644
--- a/adapters/mso-openstack-adapters/src/main/java/db/migration/R__CloudConfigMigration.java
+++ b/adapters/mso-openstack-adapters/src/main/java/db/migration/R__CloudConfigMigration.java
@@ -36,6 +36,7 @@ import org.onap.so.logger.MsoLogger;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.nio.file.Paths;
 import java.sql.Connection;
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
@@ -68,9 +69,11 @@ public class R__CloudConfigMigration implements JdbcMigration , MigrationInfoPro
         // Try the override file
         String configLocation = System.getProperty("spring.config.location");
         if (configLocation != null) {
-            try (InputStream stream = new FileInputStream(configLocation)) {
+            try (InputStream stream = new FileInputStream(Paths.get(configLocation).normalize().toString())) {
                 cloudConfig = loadCloudConfig(stream);
-            }
+            }catch(Exception e){
+            	LOGGER.warnSimple("Error Loading override.yaml",e);
+            } 
         }
         
         if (cloudConfig == null) {
diff --git a/asdc-controller/src/main/java/org/onap/so/asdc/client/ASDCController.java b/asdc-controller/src/main/java/org/onap/so/asdc/client/ASDCController.java
index 03212478cd..9a1392bdca 100644
--- a/asdc-controller/src/main/java/org/onap/so/asdc/client/ASDCController.java
+++ b/asdc-controller/src/main/java/org/onap/so/asdc/client/ASDCController.java
@@ -26,6 +26,7 @@ import java.io.File;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
+import java.nio.file.Paths;
 import java.util.List;
 
 import org.onap.sdc.api.IDistributionClient;
@@ -355,7 +356,7 @@ public class ASDCController {
     			+ artifact.getArtifactUUID ()
     			+ ")");
     	
-    	String filePath = System.getProperty("mso.config.path") + "/ASDC" + "/" + artifact.getArtifactVersion() + "/" + artifact.getArtifactName();
+        String filePath = Paths.get(System.getProperty("mso.config.path"), "ASDC",  artifact.getArtifactVersion(), artifact.getArtifactName()).normalize().toString();
     	// make parent directory
     	File file = new File(filePath);    	
     	File fileParent = file.getParentFile();
diff --git a/asdc-controller/src/main/java/org/onap/so/asdc/installer/ToscaResourceStructure.java b/asdc-controller/src/main/java/org/onap/so/asdc/installer/ToscaResourceStructure.java
index 030035157d..72aa3c7f5b 100644
--- a/asdc-controller/src/main/java/org/onap/so/asdc/installer/ToscaResourceStructure.java
+++ b/asdc-controller/src/main/java/org/onap/so/asdc/installer/ToscaResourceStructure.java
@@ -21,6 +21,7 @@
 package org.onap.so.asdc.installer;
 
 import java.io.File;
+import java.nio.file.Paths;
 import java.util.List;
 
 import org.onap.sdc.api.notification.IArtifactInfo;
@@ -126,7 +127,7 @@ public class ToscaResourceStructure {
 			
 			LOGGER.debug("MSO config path is: " + System.getProperty("mso.config.path"));
 			
-			String filePath = System.getProperty("mso.config.path") + "/ASDC/" + artifact.getArtifactVersion() + "/" + artifact.getArtifactName();
+			String filePath = Paths.get(System.getProperty("mso.config.path"), "ASDC",  artifact.getArtifactVersion(), artifact.getArtifactName()).normalize().toString();
 
 			File spoolFile = new File(filePath);
  
diff --git a/asdc-controller/src/main/java/org/onap/so/asdc/installer/bpmn/BpmnInstaller.java b/asdc-controller/src/main/java/org/onap/so/asdc/installer/bpmn/BpmnInstaller.java
index f5215e9f1f..e4a4c7cdfb 100644
--- a/asdc-controller/src/main/java/org/onap/so/asdc/installer/bpmn/BpmnInstaller.java
+++ b/asdc-controller/src/main/java/org/onap/so/asdc/installer/bpmn/BpmnInstaller.java
@@ -20,10 +20,15 @@
 
 package org.onap.so.asdc.installer.bpmn;
 
-import java.io.*;
+import java.io.BufferedOutputStream;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.net.URI;
 import java.nio.file.Path;
 import java.nio.file.Paths;
-import java.util.zip.*;
+import java.util.zip.ZipEntry;
+import java.util.zip.ZipInputStream;
 
 import org.apache.commons.io.IOUtils;
 import org.apache.http.HttpEntity;
@@ -32,14 +37,13 @@ import org.apache.http.client.HttpClient;
 import org.apache.http.client.config.RequestConfig;
 import org.apache.http.client.methods.HttpPost;
 import org.apache.http.entity.ContentType;
-import org.apache.http.impl.client.HttpClientBuilder;
-
-import org.onap.so.logger.MessageEnum;
-import org.onap.so.logger.MsoLogger;
+import org.apache.http.entity.mime.FormBodyPartBuilder;
 import org.apache.http.entity.mime.MultipartEntityBuilder;
 import org.apache.http.entity.mime.content.ByteArrayBody;
 import org.apache.http.entity.mime.content.StringBody;
-import org.apache.http.entity.mime.FormBodyPartBuilder;
+import org.apache.http.impl.client.HttpClientBuilder;
+import org.onap.so.logger.MessageEnum;
+import org.onap.so.logger.MsoLogger;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.core.env.Environment;
 import org.springframework.stereotype.Component;
@@ -57,7 +61,7 @@ public class BpmnInstaller {
 	public void installBpmn(String csarFilePath) {
 		LOGGER.info("Deploying BPMN files from " + csarFilePath);		
 		try {			
-			ZipInputStream csarFile = new ZipInputStream(new FileInputStream(csarFilePath));
+			ZipInputStream csarFile = new ZipInputStream(new FileInputStream(Paths.get(csarFilePath).normalize().toString()));
 			ZipEntry entry = csarFile.getNextEntry();		
 	 
 			while (entry != null) {				
@@ -101,28 +105,28 @@ public class BpmnInstaller {
     				csarFilePath,
     				"",
     				"",
-    				ex.getMessage(), "", "", MsoLogger.ErrorCode.DataError, "ASDC reading CSAR with workflows failed"); 		
+    				ex.getMessage(), "", "", MsoLogger.ErrorCode.DataError, "ASDC reading CSAR with workflows failed");
 		}
 		return;
 	}	
 	
-	protected HttpResponse sendDeploymentRequest(String bpmnFileName) throws Exception {					
+	protected HttpResponse sendDeploymentRequest(String bpmnFileName) throws Exception {
 		HttpClient client = HttpClientBuilder.create().build();	
-		String deploymentUri = this.env.getProperty(CAMUNDA_URL) + CREATE_DEPLOYMENT_PATH;
+		URI deploymentUri = new URI(this.env.getProperty(CAMUNDA_URL) + CREATE_DEPLOYMENT_PATH);
 		HttpPost post = new HttpPost(deploymentUri);
 		RequestConfig requestConfig =
 				RequestConfig.custom().setSocketTimeout(1000000).setConnectTimeout(1000).setConnectionRequestTimeout(1000).build();
 		post.setConfig(requestConfig);        
-		HttpEntity requestEntity = buildMimeMultipart(bpmnFileName);        
+		HttpEntity requestEntity = buildMimeMultipart(bpmnFileName);
 		post.setEntity(requestEntity);
 		return client.execute(post);
 	}
 	
 	protected HttpEntity buildMimeMultipart(String bpmnFileName) throws Exception {
-		FileInputStream bpmnFileStream = new FileInputStream (System.getProperty("mso.config.path") + "/ASDC" + "/" + bpmnFileName);
+		FileInputStream bpmnFileStream = new FileInputStream (Paths.get(System.getProperty("mso.config.path"),"ASDC", bpmnFileName).normalize().toString());
 
 		byte[] bytesToSend = IOUtils.toByteArray(bpmnFileStream);
-		HttpEntity requestEntity = MultipartEntityBuilder.create()                
+		HttpEntity requestEntity = MultipartEntityBuilder.create()
 				.addPart(FormBodyPartBuilder.create()
 						.setName("deployment-name")
 						.setBody(new StringBody("MSO Sample 1", ContentType.TEXT_PLAIN))
@@ -155,7 +159,7 @@ public class BpmnInstaller {
 	}
 	
 	protected void extractBpmnFileFromCsar(ZipInputStream zipIn, String fileName) throws IOException {
-		String filePath = System.getProperty("mso.config.path") + "/ASDC" + "/" + fileName;
+		String filePath = Paths.get(System.getProperty("mso.config.path"), "ASDC", fileName).normalize().toString();
 		BufferedOutputStream outputStream = new BufferedOutputStream(new FileOutputStream(filePath));
 		byte[] bytesIn = new byte[4096];
 		int read = 0;
diff --git a/bpmn/MSOCommonBPMN/src/main/java/org/onap/so/bpmn/common/resource/ResourceRequestBuilder.java b/bpmn/MSOCommonBPMN/src/main/java/org/onap/so/bpmn/common/resource/ResourceRequestBuilder.java
index 1989ca8cf9..1531e4d7b3 100644
--- a/bpmn/MSOCommonBPMN/src/main/java/org/onap/so/bpmn/common/resource/ResourceRequestBuilder.java
+++ b/bpmn/MSOCommonBPMN/src/main/java/org/onap/so/bpmn/common/resource/ResourceRequestBuilder.java
@@ -22,6 +22,7 @@ package org.onap.so.bpmn.common.resource;
 
 import java.io.File;
 import java.io.IOException;
+import java.nio.file.Paths;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.LinkedHashMap;
@@ -266,7 +267,7 @@ public class ResourceRequestBuilder {
 
         HashMap<String, String> map = new Gson().fromJson(value, new TypeToken<HashMap<String, String>>() {}.getType());
 
-        String filePath = System.getProperty("mso.config.path") + "/ASDC/" +  map.get("version") + "/" + map.get("name");
+        String filePath = Paths.get(System.getProperty("mso.config.path"), "ASDC",  map.get("version"), map.get("name")).normalize().toString();
 
         File csarFile = new File(filePath);
 
diff --git a/common/src/main/java/org/onap/so/client/RestClientSSL.java b/common/src/main/java/org/onap/so/client/RestClientSSL.java
index ac4a8d1a7c..8369eba859 100644
--- a/common/src/main/java/org/onap/so/client/RestClientSSL.java
+++ b/common/src/main/java/org/onap/so/client/RestClientSSL.java
@@ -22,6 +22,7 @@ package org.onap.so.client;
 
 import java.io.FileInputStream;
 import java.net.URI;
+import java.nio.file.Paths;
 import java.security.KeyStore;
 import java.security.NoSuchAlgorithmException;
 import java.util.Optional;
@@ -72,7 +73,7 @@ public abstract class RestClientSSL extends RestClient {
 	private KeyStore getKeyStore() {
 		KeyStore ks = null;
 	    char[] password = System.getProperty(RestClientSSL.SSL_KEY_STORE_PASSWORD_KEY).toCharArray();
-	    try(FileInputStream fis = new FileInputStream(System.getProperty(RestClientSSL.SSL_KEY_STORE_KEY))) {
+	    try(FileInputStream fis = new FileInputStream(Paths.get(System.getProperty(RestClientSSL.SSL_KEY_STORE_KEY)).normalize().toString())) {
 	    	ks = KeyStore.getInstance(KeyStore.getDefaultType());
 	        
 	        ks.load(fis, password);
-- 
cgit 1.2.3-korg