From 2bb9251043b543bb5005b7cf9af6ac4f58a0f733 Mon Sep 17 00:00:00 2001 From: "Smokowski, Steve (ss835w)" Date: Wed, 5 Dec 2018 08:30:51 -0500 Subject: Resolve Security Exploits normalize all file paths before using them Change-Id: I67aaa00d7218b95dde96f3679efe92c3c0cd33f9 Issue-ID: SO-1275 Signed-off-by: Smokowski, Steve (ss835w) --- .../org/onap/so/asdc/client/ASDCController.java | 3 +- .../so/asdc/installer/ToscaResourceStructure.java | 3 +- .../onap/so/asdc/installer/bpmn/BpmnInstaller.java | 34 ++++++++++++---------- 3 files changed, 23 insertions(+), 17 deletions(-) (limited to 'asdc-controller') diff --git a/asdc-controller/src/main/java/org/onap/so/asdc/client/ASDCController.java b/asdc-controller/src/main/java/org/onap/so/asdc/client/ASDCController.java index 03212478cd..9a1392bdca 100644 --- a/asdc-controller/src/main/java/org/onap/so/asdc/client/ASDCController.java +++ b/asdc-controller/src/main/java/org/onap/so/asdc/client/ASDCController.java @@ -26,6 +26,7 @@ import java.io.File; import java.io.FileOutputStream; import java.io.IOException; import java.io.UnsupportedEncodingException; +import java.nio.file.Paths; import java.util.List; import org.onap.sdc.api.IDistributionClient; @@ -355,7 +356,7 @@ public class ASDCController { + artifact.getArtifactUUID () + ")"); - String filePath = System.getProperty("mso.config.path") + "/ASDC" + "/" + artifact.getArtifactVersion() + "/" + artifact.getArtifactName(); + String filePath = Paths.get(System.getProperty("mso.config.path"), "ASDC", artifact.getArtifactVersion(), artifact.getArtifactName()).normalize().toString(); // make parent directory File file = new File(filePath); File fileParent = file.getParentFile(); diff --git a/asdc-controller/src/main/java/org/onap/so/asdc/installer/ToscaResourceStructure.java b/asdc-controller/src/main/java/org/onap/so/asdc/installer/ToscaResourceStructure.java index 030035157d..72aa3c7f5b 100644 --- a/asdc-controller/src/main/java/org/onap/so/asdc/installer/ToscaResourceStructure.java +++ b/asdc-controller/src/main/java/org/onap/so/asdc/installer/ToscaResourceStructure.java @@ -21,6 +21,7 @@ package org.onap.so.asdc.installer; import java.io.File; +import java.nio.file.Paths; import java.util.List; import org.onap.sdc.api.notification.IArtifactInfo; @@ -126,7 +127,7 @@ public class ToscaResourceStructure { LOGGER.debug("MSO config path is: " + System.getProperty("mso.config.path")); - String filePath = System.getProperty("mso.config.path") + "/ASDC/" + artifact.getArtifactVersion() + "/" + artifact.getArtifactName(); + String filePath = Paths.get(System.getProperty("mso.config.path"), "ASDC", artifact.getArtifactVersion(), artifact.getArtifactName()).normalize().toString(); File spoolFile = new File(filePath); diff --git a/asdc-controller/src/main/java/org/onap/so/asdc/installer/bpmn/BpmnInstaller.java b/asdc-controller/src/main/java/org/onap/so/asdc/installer/bpmn/BpmnInstaller.java index f5215e9f1f..e4a4c7cdfb 100644 --- a/asdc-controller/src/main/java/org/onap/so/asdc/installer/bpmn/BpmnInstaller.java +++ b/asdc-controller/src/main/java/org/onap/so/asdc/installer/bpmn/BpmnInstaller.java @@ -20,10 +20,15 @@ package org.onap.so.asdc.installer.bpmn; -import java.io.*; +import java.io.BufferedOutputStream; +import java.io.FileInputStream; +import java.io.FileOutputStream; +import java.io.IOException; +import java.net.URI; import java.nio.file.Path; import java.nio.file.Paths; -import java.util.zip.*; +import java.util.zip.ZipEntry; +import java.util.zip.ZipInputStream; import org.apache.commons.io.IOUtils; import org.apache.http.HttpEntity; @@ -32,14 +37,13 @@ import org.apache.http.client.HttpClient; import org.apache.http.client.config.RequestConfig; import org.apache.http.client.methods.HttpPost; import org.apache.http.entity.ContentType; -import org.apache.http.impl.client.HttpClientBuilder; - -import org.onap.so.logger.MessageEnum; -import org.onap.so.logger.MsoLogger; +import org.apache.http.entity.mime.FormBodyPartBuilder; import org.apache.http.entity.mime.MultipartEntityBuilder; import org.apache.http.entity.mime.content.ByteArrayBody; import org.apache.http.entity.mime.content.StringBody; -import org.apache.http.entity.mime.FormBodyPartBuilder; +import org.apache.http.impl.client.HttpClientBuilder; +import org.onap.so.logger.MessageEnum; +import org.onap.so.logger.MsoLogger; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.core.env.Environment; import org.springframework.stereotype.Component; @@ -57,7 +61,7 @@ public class BpmnInstaller { public void installBpmn(String csarFilePath) { LOGGER.info("Deploying BPMN files from " + csarFilePath); try { - ZipInputStream csarFile = new ZipInputStream(new FileInputStream(csarFilePath)); + ZipInputStream csarFile = new ZipInputStream(new FileInputStream(Paths.get(csarFilePath).normalize().toString())); ZipEntry entry = csarFile.getNextEntry(); while (entry != null) { @@ -101,28 +105,28 @@ public class BpmnInstaller { csarFilePath, "", "", - ex.getMessage(), "", "", MsoLogger.ErrorCode.DataError, "ASDC reading CSAR with workflows failed"); + ex.getMessage(), "", "", MsoLogger.ErrorCode.DataError, "ASDC reading CSAR with workflows failed"); } return; } - protected HttpResponse sendDeploymentRequest(String bpmnFileName) throws Exception { + protected HttpResponse sendDeploymentRequest(String bpmnFileName) throws Exception { HttpClient client = HttpClientBuilder.create().build(); - String deploymentUri = this.env.getProperty(CAMUNDA_URL) + CREATE_DEPLOYMENT_PATH; + URI deploymentUri = new URI(this.env.getProperty(CAMUNDA_URL) + CREATE_DEPLOYMENT_PATH); HttpPost post = new HttpPost(deploymentUri); RequestConfig requestConfig = RequestConfig.custom().setSocketTimeout(1000000).setConnectTimeout(1000).setConnectionRequestTimeout(1000).build(); post.setConfig(requestConfig); - HttpEntity requestEntity = buildMimeMultipart(bpmnFileName); + HttpEntity requestEntity = buildMimeMultipart(bpmnFileName); post.setEntity(requestEntity); return client.execute(post); } protected HttpEntity buildMimeMultipart(String bpmnFileName) throws Exception { - FileInputStream bpmnFileStream = new FileInputStream (System.getProperty("mso.config.path") + "/ASDC" + "/" + bpmnFileName); + FileInputStream bpmnFileStream = new FileInputStream (Paths.get(System.getProperty("mso.config.path"),"ASDC", bpmnFileName).normalize().toString()); byte[] bytesToSend = IOUtils.toByteArray(bpmnFileStream); - HttpEntity requestEntity = MultipartEntityBuilder.create() + HttpEntity requestEntity = MultipartEntityBuilder.create() .addPart(FormBodyPartBuilder.create() .setName("deployment-name") .setBody(new StringBody("MSO Sample 1", ContentType.TEXT_PLAIN)) @@ -155,7 +159,7 @@ public class BpmnInstaller { } protected void extractBpmnFileFromCsar(ZipInputStream zipIn, String fileName) throws IOException { - String filePath = System.getProperty("mso.config.path") + "/ASDC" + "/" + fileName; + String filePath = Paths.get(System.getProperty("mso.config.path"), "ASDC", fileName).normalize().toString(); BufferedOutputStream outputStream = new BufferedOutputStream(new FileOutputStream(filePath)); byte[] bytesIn = new byte[4096]; int read = 0; -- cgit 1.2.3-korg